On 2017-01-09 17:28, Rob Stradling wrote:
On 03/11/16 19:34, Jeremy Rowley wrote:
<snip>
Hi Jeremy.
7. The Belgium government is our biggest challenge in migrating
Verizon customers. With over 20 issuing CAs, Belgium has the largest
outstanding non-compliant infrastructure. The operators have also
claimed that revoking their issuing CAs is illegal (in Belgium). The
government is using the issuing CA for creating personal
identification (e-ID) cards throughout the country. The Belgium
government has dictated that they set the rules, not us. Although the
Belgium government does not have an audit yet, Verizon has represented
that the issuing CAs are hosted in the Verizon infrastructure and are
potentially covered by the Verizon audit.
I've noticed that some of the Belgian government CAs have been disclosed
to the CCADB with the CP/CPS and Audit fields marked as "Same as
Parent", whereas the CP/CPS and Audit fields for the rest of those CAs
have not yet been filled in.
Note that the Belgium root CA's information is available at:
http://repository.eid.belgium.be/index.php?lang=en
As far as I know, most of the certificates are for (client)
authentication and signatures as used by the government itself and some
websites that make use of it. Those should already be set up to trust
that root for client authentication. I think I also found some websites,
but most actually use a different CA. So it seems unlikely that many
public websites would get broken by revoking it.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
