On 03/08/17 08:01, Olfa Kaddachi wrote: > ==> Some of these controls are already in place (such as the field CN and > Subject Alternative Name that does not contain a private IP address).
That doesn't quite answer my question. Let me ask another way: for how long has the Government of Tunisia CA been aware of the Baseline Requirements? From what date do you assert that you have been compliant with these requirements? > 4- Validation of the technical data included in the CSR: The RA operator > checks : > > Digital Signature Algorithm: SHA256 > Key Algorithm: RSA > Key Size: 2048 Why can such things not be checked programmatically? It seems you are opening yourselves up to the possibility of human error. > Moreover, the NDCA is now implementing a new Managed PKI platform which will > be in production by the end of September 2017. For the moment, the only > improvement done, is the printing of all the subject alternative names in the > certificate for the RA operators, in addition to the other fields (CN, O, OU, > mail) in such a way that they can visually check all the fields before the > delivery of the certificate. A visual check may not catch every problem. For example, would it catch a trailing space? >>From what date would you say that your CA has been compliant with the CAB >>Forum Baseline Requirements? > ==> The TunRootCA2 and TunServerCA2 passed two successive external audit > performed by LSTI. The last audit took place from 27th to 30th September 2016 > in applying the relevant ETSI Technical Specifications ETSI TS 102042v2.4.1. And that audit includes a BR audit? Did the audit report have any qualifications? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
