DSV/S-TRUST root inclusion request

Tue, 16 Dec 2008 09:45:24 -0800

I've decided to make S-TRUST the next CA to enter the public discussion period. (I need to do a little more work for KISA, T-Systems, and Microsec, the other CAs near the top of the list.) S-TRUST is operated by Deutscher Sparkassenverlag (DSV), which has applied to add four new root CA certificates to the Mozilla root store, as documented in the following bug: 

  https://bugzilla.mozilla.org/show_bug.cgi?id=370627

and in the pending certificates list here:

  http://www.mozilla.org/projects/security/certs/pending/#S-TRUST

Some quick comments regarding noteworthy points:
* S-TRUST issues certificates to individuals for use in SSL client authentication and email. Since they don't issue certificates to SSL servers, right now I've got them marked as requesting that only the email "trust bit" be enabled.
However, does the SSL trust bit need to be enabled for S-TRUST client certificates to be properly recognized at either the client or server end? I can't remember the answer for this, and would appreciate advice.
* Per German law S-TRUST issues one new root CA certificate for every year, with each root cert having a 5-year lifetime. Thus they are currently requesting inclusion of four root certificates, for 2005 through 2008. Starting in 2010 the older root certs will begin to expire and we can remove them.
* The CPS documents are in German (sorry Eddy!), but as far as I know we have English translations of the relevant sections, and can do further translations as needed.
* S-TRUST has undergone audits per the ETSI TS 101 456 and 102 042 criteria. The relevant audit certificates are still current.
I suggest reading Kathleen's summary document to get an overview of this request; thanks again to Kathleen for preparing these!
As we did with SECOM Trust, I'm planning to have a single one-week discussion period. After that week, if there are no outstanding issues relating to the request then I am going to go ahead and officially approve it. (Otherwise we'll postpone further discussion until the issues are resolved.) 

Frank

--
Frank Hecker
hec...@mozillafoundation.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to