On Wednesday, March 23, 2016 at 2:08:19 PM UTC-7, Kathleen Wilson wrote: > On 12/17/15 5:34 PM, Kathleen Wilson wrote: > > The first discussion of LuxTrust's root inclusion request was here: > > https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ > > > > > > This discussion is currently on hold, because the CA would like to > request inclusion of the new 'LuxTrust Global Root 2' root certificate > instead of the previous 'LuxTrust Global Root CA' root cert. So, we are > awaiting their updated information. > > Kathleen
The CA has resolved the questions and concerns raised during the first discussion, and has provided an updated root certificate with corresponding updated documentation and audit statement. Please review this request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment. The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=944783 Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=8777892 This root signs internally-operated subordinate CAs that issue SSL and code signing certificates. Documents are in French and English. CA Document Repository: https://repository.luxtrust.lu CP: https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf CPS: https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf SSL CPS: SSL CPS: https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf SSL CPS section 3.2.2: In the particular case of SSL, RAs operating under the LuxTrust SSL CA shall determine whether the domain referenced in the SSL Certificate application is owned and controlled by the subscriber. LuxTrust validates that the Subscriber has the right to control the domain names using the following verification procedures: [1] Communicating with the technical contact information provided by the Subscriber in the order form. [2] Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field; [3] Relying upon a Domain Authorization Document which contains the signature of an authorized representative of the domain holder, a date that is on or after the certificate request and a statement confirming the Subscriber’s control over the domain names in the certificate. LuxTrust also relies on a reliable third-party, the Chamber of Commerce of Luxembourg, to confirm the authenticity of the Domain Authorization Document. Root Certificate Download URL: https://ca.luxtrust.lu/LTGRCA2.crt Test Website: https://ltsslca5.trustme.lu/ EV Policy OID: 1.3.171.1.1.10.5.2 CRL: http://crl.luxtrust.lu/LTGRCA2.crl http://crl.luxtrust.lu/LTSSLCA5.crl SSL CPS section 4.9.7: A CRL is issued each 4 hours, at an agreed time. OCSP: http://ssl.ocsp.luxtrust.lu http://ltgroot.ocsp.luxtrust.lu Annual audits are performed by LSTI, according to the ETSI TS 102 042 criteria. Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8777887 http://www.lsti-certification.fr/images/liste_entreprise/Liste%20PSCe.pdf This continues the discussion of the request from LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment. At the conclusion of this discussion I will provide a summary of issues noted and action items. If there are outstanding issues, then additional discussion may be needed as follow-up. If there are no outstanding issues, then I will recommend approval of this request in the bug. Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
