在 2018年9月1日星期六 UTC+8上午7:19:49,Wayne Thayer写道:
> * The CP/CPS documents contain version histories, but they didn’t describe > what changed in each version. SHECA began including this information in the > latest versions of these documents. > * The non-EV CP and CPS section 6.1 seem to permit CA generation of key > pairs for SSL certificates in violation of section 5.2 of Mozilla policy. > SHECA states that they have never generated key pairs for Subscribers and > revised this section of the CPS, but my interpretation is that the revision > does not forbid SHECA from generating subscriber key pairs. Hello, SHECA just published the new CP/CPS, which added the changes description of all historical veresions, as well as stated that for certificates issued by UCA Global G2 Root and UCA Extended Validation Root, SHECA must not generate key pair for subscribers. Please refer to links below for details: Non-EV CP https://assets-cdn.sheca.com/documents/unitrust-certificate-policy-en-v1.4.1.pdf Non-EV CPS https://assets-cdn.sheca.com/documents/sheca-certification-practice-statement-en-v3.6.3.pdf EV-CP https://assets-cdn.sheca.com/documents/unitrust-ev-certificate-policy-en-v1.6.pdf EV-CPS https://assets-cdn.sheca.com/documents/unitrust-ev-certification-practice-statement-en-v1.4.3.pdf Thanks. Toria Chen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy