Kathleen Wilson and I have been discussing how to re-start the evaluation process for T-Systems. If you recall, that request (bug 378882) got bogged down in a discussion of how to deal with situations where the root CA doesn't actually issue end entity certificates and the root CA's CPS doesn't address issuance of EE certs, but instead all the EE certs are issued by third-party subordinates.
Kathleen thinks, and I agree, that the best way to approach this both with T-Systems and with other CAs in general is to ask the CA to update the CP/CPS for the root to include language addressing the following: * Clear requirements for subordinate CAs for how information in end-entity certs is to be verified, such that section 7 of the Mozilla CA policy (http://www.mozilla.org/projects/security/certs/policy/) is satisfied. * Requirements for subordinate CAs in regards to whether or not subordinate CAs are constrained to issue certificates only within certain domains, and whether or not subordinate CAs can create their own subordinates. * Audit requirements for subordinate CAs with regard to the frequency of audits and who can/should perform them, as per sections 8, 9, and 10 of the Mozilla CA policy. Our goal here is to avoid having to evaluate lots and lots of subordinate CAs, and instead have the roots take care of their own subordinates and ensure they're compliant to policy. Does this sound reasonable? If so we'll proceed as noted above. Frank P.S. One thing I asked for before at some point, and I'll re-ask now, is a clear brief technical description on how root CAs would constrain subordinates to issue EE certs only within certain domains, and also prevent them from creating their own subordinates. I'd like to add this to https://wiki.mozilla.org/CA:Recommendations_for_Roots to provide some technical background for anyone interested. -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto