M, Kathleen Wilson wrote:
>
> > >
>
> > > >> On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
>
> > >
>
> > > >>> On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
>
> > >
>
> > > >>>> All,
>
> > &
Hi Rob,
On Wed, Apr 09, 2014 at 11:25:34AM +0100, Rob Stradling wrote:
> On 09/04/14 00:27, Kurt Roeckx wrote:
>
> >The first example, Gandi, does sign certificates for other
> >organizations.
>
> Hi Kurt.
>
> You seem to be assuming that the Subject organizationName in the
> intermediate CA ce
On 4/9/2014 2:04 PM, Rob Stradling wrote:
On 09/04/14 11:57, Moudrick M. Dadashov wrote:
Comodo operate intermediate CAs for several of our partners in a
similar fashion. The partner is named in the intermediate
certificate's Subject organizationName, but it is Comodo who controls
the intermed
On 09/04/14 11:57, Moudrick M. Dadashov wrote:
Comodo operate intermediate CAs for several of our partners in a
similar fashion. The partner is named in the intermediate
certificate's Subject organizationName, but it is Comodo who controls
the intermediate CA private key and checks each certifi
On 4/9/2014 1:25 PM, Rob Stradling wrote:
On 09/04/14 00:27, Kurt Roeckx wrote:
The first example, Gandi, does sign certificates for other
organizations.
Hi Kurt.
You seem to be assuming that the Subject organizationName in the
intermediate CA certificate ("O=GANDI SAS" in this case) identi
On 09/04/14 00:27, Kurt Roeckx wrote:
The first example, Gandi, does sign certificates for other
organizations.
Hi Kurt.
You seem to be assuming that the Subject organizationName in the
intermediate CA certificate ("O=GANDI SAS" in this case) identifies the
organization that controls the CA
On Tue, Apr 08, 2014 at 03:34:13PM -0700, Kathleen Wilson wrote:
> >
> >But I know that we already have such super CAs in the root program
> >now. From the top of my head:
> >- UTN UserFirst signs Gandi
> >- CyberTrust Global signs the Belgian government CA
&
On 4/8/14, 3:07 PM, Kurt Roeckx wrote:
Here's the pending and included Super-CAs that I'm aware of.
KISA (Government of Korea, Bug #335197)
ICP-Brasil (Government of Brazil, Bug #438825)
SUSCERTE (Government of Venezuela, Bug #489240)
CCA (Government of India, Bug #557167)
US FPKI (
per-CA's audit report of each
> >>subordinate CA to confirm that the subCA was indeed evaluated according to
> >>the stated criteria.
> >>
> >>Correct?
> >
> >Those super CAs already need to get an audit. I think what he's
> >saying
On 4/8/2014 1:25 PM, Kathleen Wilson wrote:
> I'm still conflicted about whether a Super-CA can audit their
> subordinate CAs. And if they can, then what assurances do we have that
> the audit was done in an unbiased manner and according to the criteria
> that we require.
I expressed the same c
being used includes the Baseline
Requirements and the WebTrust or ETSI criteria that Mozilla requires, and
that the outside auditor reviews the Super-CA's audit report of each
subordinate CA to confirm that the subCA was indeed evaluated according to
the stated criteria.
Correct?
Those
uditor reviews the Super-CA's audit report of each
> subordinate CA to confirm that the subCA was indeed evaluated according to
> the stated criteria.
>
> Correct?
Those super CAs already need to get an audit. I think what he's
saying is that that
On 4/1/14, 8:11 PM, Kathleen Wilson wrote:
On 4/1/14, 11:12 AM, Kathleen Wilson wrote:
On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
All,
The only place where we currently describe Super-CAs is here:
https://wiki.mozilla.org
AM, Kathleen Wilson wrote:
> >
> > >> On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
> >
> > >>> On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
> >
> > >>>> All,
> >
> > >>>>
> >
> > >>>> The
>> On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
>
> >>>> All,
>
> >>>>
>
> >>>> The only place where we currently describe Super-CAs is here:
>
> >>>>
>
> >>>> https://wiki.mozilla.org/CA:SubordinateCA_
On 4/1/2014 8:11 PM, Kathleen Wilson wrote:
> On 4/1/14, 11:12 AM, Kathleen Wilson wrote:
>> On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
>>> On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
>>>> All,
>>>>
>>>> The only place where we
On 4/1/14, 11:12 AM, Kathleen Wilson wrote:
On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
All,
The only place where we currently describe Super-CAs is here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist
“In the situation where the root CA
On 4/1/2014 11:12 AM, Kathleen Wilson wrote:
> On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
>> On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
>>> All,
>>>
>>> The only place where we currently describe Super-CAs is here:
>>>
>>> https://w
On 3/31/14, 4:01 PM, Kathleen Wilson wrote:
On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
All,
The only place where we currently describe Super-CAs is here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist
“In the situation where the root CA functions as a super CA such that
their CA
licensed by the signing CA. Such signing CAs are called
> Super-CAs, and their subordinate CAs must apply for inclusion of their own
> certificates until the following has been established and demonstrated:
> - The Super-CA's documented policies and audit criteria meet the
> requ
Hi Kathleen,
The new proposed text looks okay to me. I have no comments on it. Thanks.
Regards,
Mark
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 3/18/14, 11:54 AM, Kathleen Wilson wrote:
All,
The only place where we currently describe Super-CAs is here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist
“In the situation where the root CA functions as a super CA such that
their CA policies don't apply to the subordinat
From: Kurt Roeckx
To: Policy Authority PKIoverheid
Cc: dev-security-policy@lists.mozilla.org
Subject: Re: "Super" CAs
Message-ID: <20140320181908.gc7...@roeckx.be>
Content-Type: text/plain; charset=us-ascii
Hi,
I think what we want to accomplish is that all CAs are properly audit
tification is an ETSI certification with the addional PKIoverheid
> requirements taken into account.
>
> This thread started with the fact that "several national certification
> authorities are actually acting as super CAs without complete accountability
> for the operations of thei
. The CSPs annualy undergo an external audit. This
certification is an ETSI certification with the addional PKIoverheid
requirements taken into account.
This thread started with the fact that "several national certification
authorities are actually acting as super CAs without com
Hi,
I have a few questions:
- Are all those subordinate CAs part of the government?
- Do all audit criteria for approving the subordinate CA match
those that are required by Mozilla?
If both of those are the case, I see no problem adding it.
Kurt
On Wed, Mar 19, 2014 at 07:52:20PM +, Bro
With full disclosure that I have applied for the US Federal Common Policy CA to
be included as a trust anchor (even though we haven't made it thru the process
yet). I question the proposal to try and have all the cross-certified or
subordinate CAs individually apply to be trust anchors. In the
The lead paragraph should encompass non-government super CAs, too.
Furthermore, the policy should address certification authorities (CAs)
and not their root certificates. Consider the following:
> Some CAs sign the certificates of subordinate CAs to show that they have
> been accredi
On Tue, Mar 18, 2014 at 11:54:38AM -0700, Kathleen Wilson wrote:
> All,
>
> The only place where we currently describe Super-CAs is here:
>
> https://wiki.mozilla.org/CA:SubordinateCA_checklist
> "In the situation where the root CA functions as a super CA such that th
All,
The only place where we currently describe Super-CAs is here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist
“In the situation where the root CA functions as a super CA such that
their CA policies don't apply to the subordinate CAs (including
auditing), then the root CA shoul
w root certificates
> >>> that
> >>> several national certification authorities are actually acting as
> >>> super
> >>> CAs without complete accountability for the operations of their
> >>> subsidiary CAs. Is the plan to eventually in
On 2014-02-18 14:28, Ruy Ramos wrote:
The brazilian root CA for ICP-Brasil has complete accountability for the
operations of its subsidiary CAs. That is achieved by annual audit
procedures take into effect by ITI, the federal agency that plays the
role of Root CA of ICP-Brasil.
Please note that
On 2/19/14 1:43 PM, Jan Schejbal wrote:
Am 2014-02-19 01:52, schrieb Kathleen Wilson:
- don't have external, third-party audits
I think the current policy for these is "do not let/keep them in the
root program", and I think that this policy needs enforcement, not changes.
Kind regards,
Jan
On 02/18/2014 08:28 PM, Ryan Sleevi wrote:
On Tue, February 18, 2014 5:28 am, Ruy Ramos wrote:
On 02/15/2014 04:42 PM, David E. Ross wrote:
I noticed in the open bug reports for adding new root certificates that
several national certification authorities are actually acting as super
CAs
authorities are actually acting as
super
CAs without complete accountability for the operations of their
subsidiary CAs. Is the plan to eventually include the roots of the
super CAs in the NSS database? Or will only the roots of the
subsidiary
CAs be included, after the usual Mozilla review process
Am 2014-02-19 01:52, schrieb Kathleen Wilson:
> - don't have external, third-party audits
I think the current policy for these is "do not let/keep them in the
root program", and I think that this policy needs enforcement, not changes.
Kind regards,
Jan
--
Please avoid sending mails, use the gro
On 2/15/14 10:42 AM, David E. Ross wrote:
I noticed in the open bug reports for adding new root certificates that
several national certification authorities are actually acting as super
CAs without complete accountability for the operations of their
subsidiary CAs. Is the plan to eventually
On Tue, February 18, 2014 5:28 am, Ruy Ramos wrote:
> On 02/15/2014 04:42 PM, David E. Ross wrote:
> > I noticed in the open bug reports for adding new root certificates that
> > several national certification authorities are actually acting as super
> > CAs without comple
On 02/15/2014 04:42 PM, David E. Ross wrote:
I noticed in the open bug reports for adding new root certificates that
several national certification authorities are actually acting as super
CAs without complete accountability for the operations of their
subsidiary CAs. Is the plan to eventually
I noticed in the open bug reports for adding new root certificates that
several national certification authorities are actually acting as super
CAs without complete accountability for the operations of their
subsidiary CAs. Is the plan to eventually include the roots of the
super CAs in the NSS
40 matches
Mail list logo
