On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]:
NOTE: The fact that I have snipped some of the items under "==Bad=="
does not mean I consider them unimportant. However, the items on
which I comment I consider to be most important.
> * The inclusion request references a much older CPS  that doesn't list
> the 2016 versions of these roots or comply with current policies. I only
> reviewed the newer CPS , but this CPS (section 1.2.1) doesn't cover the
> older roots that are currently included. I believe this is a compliance
> issue with the currently included AC Camerfirma roots.
Is the above not sufficient to terminate the public review?
> * Last year, Camerfirma signed a contract with StartCom as a delegated RA.
> While I don’t believe the Startcom distrust plan  specifically forbade
> this, it was found that Camerfirma was not performing domain validation on
> the OV certificates  as required by the BRs.
I would strongly suggest that further action be deferred until the cited
contract can be confirmed to have been terminated.
> * There are a few published, misissued, and currently unrevoked
> certificates in the CCR2016 hierarchy:
If Camerfirma had been already approved and its root added to the RSS
database, would not the above item be sufficient to remove that root?
David E. Ross
President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need to know
when your message is really your own and not your attorney's.
dev-security-policy mailing list