I've decided to make S-TRUST the next CA to enter the public discussion
period. (I need to do a little more work for KISA, T-Systems, and
Microsec, the other CAs near the top of the list.) S-TRUST is operated
by Deutscher Sparkassenverlag (DSV), which has applied to add four new
root CA certificates to the Mozilla root store, as documented in the
following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=370627
and in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#S-TRUST
Some quick comments regarding noteworthy points:
* S-TRUST issues certificates to individuals for use in SSL client
authentication and email. Since they don't issue certificates to SSL
servers, right now I've got them marked as requesting that only the
email "trust bit" be enabled.
However, does the SSL trust bit need to be enabled for S-TRUST client
certificates to be properly recognized at either the client or server
end? I can't remember the answer for this, and would appreciate advice.
* Per German law S-TRUST issues one new root CA certificate for every
year, with each root cert having a 5-year lifetime. Thus they are
currently requesting inclusion of four root certificates, for 2005
through 2008. Starting in 2010 the older root certs will begin to expire
and we can remove them.
* The CPS documents are in German (sorry Eddy!), but as far as I know we
have English translations of the relevant sections, and can do further
translations as needed.
* S-TRUST has undergone audits per the ETSI TS 101 456 and 102 042
criteria. The relevant audit certificates are still current.
I suggest reading Kathleen's summary document to get an overview of this
request; thanks again to Kathleen for preparing these!
As we did with SECOM Trust, I'm planning to have a single one-week
discussion period. After that week, if there are no outstanding issues
relating to the request then I am going to go ahead and officially
approve it. (Otherwise we'll postpone further discussion until the
issues are resolved.)
Frank
--
Frank Hecker
hec...@mozillafoundation.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto