Bonjour, Le mardi 9 février 2016 22:41:37 UTC+1, David E. Ross a écrit : > On 2/9/2016 12:07 PM, Kathleen Wilson wrote: > > [snipped] > > > * Audit: Annual audits are performed by LSTI according to the ETSI TS > > 102 042 criteria. > > http://www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf > > https://bug1025095.bugzilla.mozilla.org/attachment.cgi?id=8590352 > > Has an audit been performed with respect to the current ownership and > management, which changed less than six months ago?
No. Our last complete annual audit was performed in October 2015, and included these 5 new roots. The next complete audit is scheduled for October 2016. An extension audit will be performed this month (for other CAs, unrelated to this request). We asked the auditor to clearly distinguish between the two companies (Keynectis and Opentrust/Docusign France) in their next publication, we hope it will be done in March. > > * Potentially Problematic Practices: > > (http://wiki.mozilla.org/CA:Problematic_Practices) > > ** Both external CAs and External RAs are allowed. > > RCA CP describes how Root CA, ICA and all CA (OpenTrust's CA and > > Customer's CA) are audited. Please refer to section 1.4, 4.1, 4.2 and 8 > > of the RCA's CP. > > ** Externally Operated SubCAs: Currently none, but the CP does allow for > > external CAs. > > *** RCA CP section 1.1: The present CP represents the common > > requirements that RCAs, ICAs and CAs have to enforce to be signed by a > > RCA or an ICA and designates standards to be implemented by a CA in > > order to issue Subscriber (or Subject) Certificates. > > OpenTrust manages its RCA certificates lifecycle as detailed in [ETSI > > 102 042] and [ETSI 101 456]. CAs signed by a RCA or an ICA shall be > > audited against ETSI standards (102 042 and/or 101 456) or WebTrust > > (http://www.webtrust.org/item64428.aspx) or according to rules defined > > by [Adobe] for all types of Subscriber certificates it issues and in the > > certification path of the RCA. In case the CA issues SSL and / or email > > certificates, as an alternative to the above audits, this CA may be > > technically constrained in the CA certificate and audited by Opentrust. > > *** RCA CP section 4.1.2.3: For SSL/TLS Certificate and email > > certificate under [Mozilla] program, choice for the CA certificate > > between "audit" against ETSI standards, or [CAB Forum] for SSL/TLS, > > (refer to section 8 below) or "technical constraint" (refer to section > > 10.3 below). > > - If Subscribers are only internal: Customer may choose to have only > > "technical constraint". > > - If some Subscribers are external: Customer shall choose to have > > "audit" against ETSI standards (refer to section 8 below). > > - If "Technical constraint" choice is made, then following information > > shall be provided: > > -- All the domain name to be set in extension "Name Constraint" for > > "dnsNames" if Subscriber Certificate are for SSL certificate and/or > > email protection to be set in the CA certificate (refer to section 10.3 > > below). > > -- All the domain name to be set in extension "Name Constraint" for > > "rfc822names" if Subscriber Certificate are for email protection to be > > set in the CA certificate (refer to section 10.3 below). > > -- All the possible "Extended Key Usage" that are set in the Subscriber > > Certificate in order to be set in the CA certificate (refer to section > > 10.3 below). > > Have any of the external CAs or RAs been audited since the recent change > of ownership? We don't have any unconstrained external CA under these 5 new roots, and no external RA. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
