Hi Gervase, On Monday, December 5, 2016 at 9:00:53 PM UTC+8, Gervase Markham wrote: > On 04/12/16 08:17, Wen-Cheng Wang wrote: > > You are wight, there are several subordinate CAs under our Government > > Root CA. Our Government Root CA and all its subordinate have WebTrust > > for CA audits. However, among those subordinate CAs, only GCA will > > issue SSL certificates. Therefore, only Government Root CA and GCA > > have SSL BR audits. Since currently all other subordinate CAs so not > > issue SSL certificates, it is certainly not possible for them to have > > SSL BR audits. > > Not possible technically, or not possible by policy? > I mean BR Audit is specifically for CAs that provide SSL certificates. Therefore, it is not possible to conduct on those subordinate CAs that do not provide SSL certificates, and it is certainly not possible for them to get the WebTrust SSL BR seals. That is why in our Government PKI, the WebTrust SSL BR seal only covers GRCA (the root CA) and GCA (which provides SSL certificates). However, I would like to emphasize that the WebTrust for CA seal cover the whole Government PKI (including the root CA and all its subordinate CAs).
> As I understand it, Peter is pointing out that these subordinate CAs are > not constrained, and so could issue SSL certificates which would be > trusted in any browser which trusted the root. Therefore, their policies > and practices have to fall under Mozilla's root policy. > As for how to make sure policies and practices of all our CAs fall under Mozilla's root policy, every time we received Kathleen's notification about the revision of Mozilla's root policy, we reviewed our CP of the Government PKI and CPSs of all CAs seriously. If necessary, we will make amendments to our CP and CPSs so that they can aligned with Mozilla's root policy and we will reply what we plan to do for responding the change of Mozilla's root policy to Kathleen. Since we have conducted WebTrust for CA audits on the whole Government PKI (including the root CA and all its subordinate CAs), the audit results can assure our CAs are all compliant to Mozilla's root policy. Wen-Cheng Wang _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
