On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
>
> * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/
> All subordinate CAs are operated by Taiwan Government organizations.
> GCA is responsible for signing certificates for government agencies. This is 
> the only intermediate cert that can issue SSL certs.
> XCA is responsible for signing certificates for organizations;
> MOICA is responsible for signing certificates for citizens;
> MOEACA is responsible for signing certificates for corporations; and
> HCA is responsible for signing certificates for health agencies.
>
> * Audit: Annual audits are performed by KPMG according to the WebTrust 
> criteria.
> WebTrust CA: https://cert.webtrust.org/SealFile?seal=2050&file=pdf
> WebTrust BR: https://cert.webtrust.org/SealFile?seal=2051&file=pdf

I'm having trouble matching up the audits with the subordinate CAs.
There are two different CAs with the same Distinguished Name but
different SubjectPublicKeyInfo and KeyIDs (https://crt.sh/?caid=186
and https://crt.sh/?caid=1330) which makes it trickier than normal,
but either way I'm not seeing all of these subordinates covered in the
audit reports.  Can someone please provide a link to each audit report
for each subordinate?

Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to