On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
> * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/
> All subordinate CAs are operated by Taiwan Government organizations.
> GCA is responsible for signing certificates for government agencies. This is
> the only intermediate cert that can issue SSL certs.
> XCA is responsible for signing certificates for organizations;
> MOICA is responsible for signing certificates for citizens;
> MOEACA is responsible for signing certificates for corporations; and
> HCA is responsible for signing certificates for health agencies.
> * Audit: Annual audits are performed by KPMG according to the WebTrust
> WebTrust CA: https://cert.webtrust.org/SealFile?seal=2050&file=pdf
> WebTrust BR: https://cert.webtrust.org/SealFile?seal=2051&file=pdf
I'm having trouble matching up the audits with the subordinate CAs.
There are two different CAs with the same Distinguished Name but
different SubjectPublicKeyInfo and KeyIDs (https://crt.sh/?caid=186
and https://crt.sh/?caid=1330) which makes it trickier than normal,
but either way I'm not seeing all of these subordinates covered in the
audit reports. Can someone please provide a link to each audit report
for each subordinate?
dev-security-policy mailing list