On 2/9/2016 12:07 PM, Kathleen Wilson wrote: [snipped]
> * Audit: Annual audits are performed by LSTI according to the ETSI TS > 102 042 criteria. > http://www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf > https://bug1025095.bugzilla.mozilla.org/attachment.cgi?id=8590352 Has an audit been performed with respect to the current ownership and management, which changed less than six months ago? > * Potentially Problematic Practices: > (http://wiki.mozilla.org/CA:Problematic_Practices) > ** Both external CAs and External RAs are allowed. > RCA CP describes how Root CA, ICA and all CA (OpenTrust’s CA and > Customer’s CA) are audited. Please refer to section 1.4, 4.1, 4.2 and 8 > of the RCA’s CP. > ** Externally Operated SubCAs: Currently none, but the CP does allow for > external CAs. > *** RCA CP section 1.1: The present CP represents the common > requirements that RCAs, ICAs and CAs have to enforce to be signed by a > RCA or an ICA and designates standards to be implemented by a CA in > order to issue Subscriber (or Subject) Certificates. > OpenTrust manages its RCA certificates lifecycle as detailed in [ETSI > 102 042] and [ETSI 101 456]. CAs signed by a RCA or an ICA shall be > audited against ETSI standards (102 042 and/or 101 456) or WebTrust > (http://www.webtrust.org/item64428.aspx) or according to rules defined > by [Adobe] for all types of Subscriber certificates it issues and in the > certification path of the RCA. In case the CA issues SSL and / or email > certificates, as an alternative to the above audits, this CA may be > technically constrained in the CA certificate and audited by Opentrust. > *** RCA CP section 4.1.2.3: For SSL/TLS Certificate and email > certificate under [Mozilla] program, choice for the CA certificate > between “audit” against ETSI standards, or [CAB Forum] for SSL/TLS, > (refer to section 8 below) or “technical constraint” (refer to section > 10.3 below). > - If Subscribers are only internal: Customer may choose to have only > “technical constraint”. > - If some Subscribers are external: Customer shall choose to have > “audit” against ETSI standards (refer to section 8 below). > - If “Technical constraint” choice is made, then following information > shall be provided: > — All the domain name to be set in extension “Name Constraint” for > “dnsNames” if Subscriber Certificate are for SSL certificate and/or > email protection to be set in the CA certificate (refer to section 10.3 > below). > — All the domain name to be set in extension “Name Constraint” for > “rfc822names” if Subscriber Certificate are for email protection to be > set in the CA certificate (refer to section 10.3 below). > — All the possible “Extended Key Usage” that are set in the Subscriber > Certificate in order to be set in the CA certificate (refer to section > 10.3 below). Have any of the external CAs or RAs been audited since the recent change of ownership? -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy