Frank Hecker wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>
> Section 3.2.2 of the Gold CPS includes the following:
>
> "/DC= fields will only be accepted if a printout of the WHOIS entry for
> the domain is included. The owner of the domain must approve the
> request with a handwritten personal signature in the appropriate
> position on the registration form and provide information as to his
> identity. The RA will create a high-quality copy or scan of all required
> supporting documentation. SwissSign validates that the person enrolling
> for the certificate has control of the domain by requiring the
> person to respond to an e-mail hosted at that domain."
>
> So, as I read it, they determine the ostensible owner of the domain
> based on WHOIS data, then do an identity check to verify that the
> certificate applicant is that person. Plus they do the email check.
>
> If you have further questions please feel free to ask them in the bug; I
> think Melanie Raemy of SwissSign is following the bug traffic but not
> the newsgroup discussion.
Obviously I don't want to bother at the bug if unnecessary...so I prefer
to follow up first of all here...
First of all I realized that Gerv was already up to this issue in the
bug itself but didn't follow through entirely...Please see what I found
out, possibly correcting me if I'm wrong. There are currently two
separate issues which require clarification:
1.)
The DC fields are not relevant for server certificates (browsers).
It's the CN field which matters...Now according to Melanies comment
at https://bugzilla.mozilla.org/show_bug.cgi?id=343756#c14 she mentions:
"/DC= fields will only be accepted if a printout of the WHOIS entry
for the domain is included." (also part of 3.2.2)
So if the printout wasn't provided the DC fields are being omitted
which doesn't have any effect on the browser which checks the CN
field. Whats also interesting is, why does the subscriber has to
provide the WHOIS records print instead of the CA fetching them by
themselfes as a third party information source? (The later just a
minor curiosity)
Now also in the Gold CP/CPS under section 3.2.2 Authentication of
organization identity it says:
"SwissSign validates that the person enrolling for the certificate
has control of the domain by requiring the
person to respond to an e-mail hosted at that domain."
However according to this statement this can be *any* email address...
2.)
The Silver CP/CPS omits any reference to domain ownership or
verification at all! Going through the entire document there is no
actual reference to server certificates (or whois/domain checks and
validations), but under
http://www.mozilla.org/projects/security/certs/pending/#SwissSign
they seem to request also server certificates trust bits set.
Again, I might have missed something here...if not I suggest that you or
me ask about clarification at the bug.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
