Thanks to all of you who have reviewed and commented on this request from Government of Taiwan, Government Root Certification Authority (GRCA), to include their renewed Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits.
To summarize this discussion so far, two primary concerns have been raised, as follows. 1) There are several intermediate certificates that are technically capable of issuing TLS certificates, but have not been audited according to the BRs. This is a show-stopper. Reference: https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs “BR Audits must always include the whole-population audit of intermediate certificates that are capable of issuing SSL certs.” This means that if the intermediate certificate is not technically constrained via EKU (and name constraints) then it must be audited according to the BRs. We have resolved this particular situation in the past by having the CA get an audit statement saying that the intermediate certificate has not issued TLS certificates during the audit period. And requiring that the CA get such an audit statement annually. 2) The new root certificate has the same exact full distinguished name as the old root certificate. I think this is OK. The CA tested this with Firefox, and provided their test results: https://bugzilla.mozilla.org/attachment.cgi?id=8818360 Question: Do I need to update https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys ? Please let me know if there is anything else (other than item #1) that this CA needs to address before we may move forward with this request. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
