On 2/9/2016 12:07 PM, Kathleen Wilson wrote:
[snipped]
> * Audit: Annual audits are performed by LSTI according to the ETSI TS
> 102 042 criteria.
> http://www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf
> https://bug1025095.bugzilla.mozilla.org/attachment.cgi?id=8590352
Has an audit been performed with respect to the current ownership and
management, which changed less than six months ago?
> * Potentially Problematic Practices:
> (http://wiki.mozilla.org/CA:Problematic_Practices)
> ** Both external CAs and External RAs are allowed.
> RCA CP describes how Root CA, ICA and all CA (OpenTrust’s CA and
> Customer’s CA) are audited. Please refer to section 1.4, 4.1, 4.2 and 8
> of the RCA’s CP.
> ** Externally Operated SubCAs: Currently none, but the CP does allow for
> external CAs.
> *** RCA CP section 1.1: The present CP represents the common
> requirements that RCAs, ICAs and CAs have to enforce to be signed by a
> RCA or an ICA and designates standards to be implemented by a CA in
> order to issue Subscriber (or Subject) Certificates.
> OpenTrust manages its RCA certificates lifecycle as detailed in [ETSI
> 102 042] and [ETSI 101 456]. CAs signed by a RCA or an ICA shall be
> audited against ETSI standards (102 042 and/or 101 456) or WebTrust
> (http://www.webtrust.org/item64428.aspx) or according to rules defined
> by [Adobe] for all types of Subscriber certificates it issues and in the
> certification path of the RCA. In case the CA issues SSL and / or email
> certificates, as an alternative to the above audits, this CA may be
> technically constrained in the CA certificate and audited by Opentrust.
> *** RCA CP section 4.1.2.3: For SSL/TLS Certificate and email
> certificate under [Mozilla] program, choice for the CA certificate
> between “audit” against ETSI standards, or [CAB Forum] for SSL/TLS,
> (refer to section 8 below) or “technical constraint” (refer to section
> 10.3 below).
> - If Subscribers are only internal: Customer may choose to have only
> “technical constraint”.
> - If some Subscribers are external: Customer shall choose to have
> “audit” against ETSI standards (refer to section 8 below).
> - If “Technical constraint” choice is made, then following information
> shall be provided:
> — All the domain name to be set in extension “Name Constraint” for
> “dnsNames” if Subscriber Certificate are for SSL certificate and/or
> email protection to be set in the CA certificate (refer to section 10.3
> below).
> — All the domain name to be set in extension “Name Constraint” for
> “rfc822names” if Subscriber Certificate are for email protection to be
> set in the CA certificate (refer to section 10.3 below).
> — All the possible “Extended Key Usage” that are set in the Subscriber
> Certificate in order to be set in the CA certificate (refer to section
> 10.3 below).
Have any of the external CAs or RAs been audited since the recent change
of ownership?
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
