All,
My apologies for taking so long to get back to this discussion about the
Government of Taiwan's (GRCA's) request to include their Government Root
Certification Authority root certificate, and turn on the Websites and Email
trust bits.
Note that GRCA has suggested that this root be constrained to *.tw.
To my knowledge, the questions and concerns raised about this request have been
resolved. In particular:
1) There are several intermediate certificates that are technically capable of
issuing TLS certificates, but have not been audited according to the BRs. We
have resolved this particular situation in the past by having the CA get an
audit statement saying that the intermediate certificate has not issued TLS
certificates during the audit period. And requiring that the CA get such an
audit statement annually.
GRCA has provided the requested audit statement:
https://www.google.com/url?q=https%3A%2F%2Fbug1065896.bmoattachments.org%2Fattachment.cgi%3Fid%3D8835815=D=1=AFQjCNH9syh0sbLxMj35bdC1TDeQslx32w
2) The new root certificate has the same exact full distinguished name as the
old root certificate.
My recommendation is that we allow it this time, but not for future root certs
from this CA.
So, if there are no further questions or comments about this CA's request, then
I will close this discussion and recommend approval in the bug.
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy