Guys. I am not an expert on all this but do have some experience so hopefully the following comments might useful.
1) The EU has a number of directives in place that require members of the EU community to make specific provisions within local legislation. The basic thrust of the legislation in to make digital certificates and electronic signatures legally admissible. Most EU countires have now completed the necessary local law changes but be aware that being compliant with local Digital Signature legislation does not necessarily mean that a CA that claims compliance is also operating at a WebTrust equivalent level. 2) There are requirements on member states (countries) to place some control over commercial certificate providers but the precise nature of this in each country is extremely variable. In some countries I believe that you literally just need to register so it really provides no judgement regarding the fitness of the organisation to run a CA. Controls also vary depending upon whether a CA claims to issue Qualified Certificates or not. The requirements for CAs issuing non-qualified certificates can be much much lower. 3) In the UK (where I live so I know it best) we have something called t-Scheme which is a true independent certification body. It basically sets down a bench mark that has to be achieved to gain the Government seal of approval. It requires a detailed assessment be completed covering operational processes and business providence (e.g. financial stability etc). It basically requires an organisation to be operating with ISO9001 (quality management), BS17799 (information security management) and then a set of PKI specific items (such as adequate CP & CPS). In my view it is a very similar approach to WebTrust. Having said that it is possible to get t-Scheme approval for just an RA process so you do need to understand the certification process in order for it to be of value. 4) The equivalent body in Germany appears to be RegTP (http://www.regtp.de/en/index.html) but I am not sure exactly what their levels are. I think it would be wise to find out before just assuming that because its a national register it is broadly equivalent to WebTrust, I am pretty sure this is not the case in all countries. Having said that German legislation is usually more rather than less ;-) so it might well be. 5) I cannot see t-Systems or Deutsche Telekom on the RegTP list and I would have thought that any CA where the CP and CPS were not already in place would be unlikely to meet the WebTrust requirement so by your current benchmark would not be compliant. I am not saying that this specific organisation is not suitable, just that at present the evidence doesn't really suggest that they are at an equivalent WebTrust level. 6) I think if you decide to accept national accreditation bodies (which I personally think is a good thing) some due-diligence is performed to ensure that they are broadly equivalent to the WebTurst model as some will undoubtedly have different levels, some which might be acceptable, some not. I also think that a simple email from the company saying that they have a specific accreditation is not acceptable (remember addding to the trusted roots is quite important). They should provide a registration number that covers a specific CA and this should then be checked by the body themsleves. I would also have thought that the national bodies would be prepared to support this activity as it helps increase their profile and value to the CA operators who often have to pay quite a lot of cash to go through and maintain their accreditation. They might even help with a comparison with WebTrust. Hope this helps Mark Hobbs. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nelson B Sent: 22 December 2004 00:38 To: [email protected] Subject: Re: New CA cert request from T-Systems Frank Hecker wrote: > The main issue with T-Systems is that they are not WebTrust audited, but > they have been certified for compliance with the German Digital > Signature Act. By whom? Who so certifies? > I'm not personally familar with how the requirements of > this act compare to the WebTrust criteria, and therefore I don't know if > this would satisfy the "WebTrust-equivalent" requirement. If any of you > know more about this please post a comment in the bug above. My guess would be that a CA that has been certified BY THE GERMAN GOVERNMENT for compliance with their laws would be suitable for inclusion in mozilla as an EMAIL CA only. -- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
