Kyle Hamilton wrote, On 2009-02-09 18:29:
Hey, I just ran into the first application of client certificate
authentication requirement on a public US government website that I've
seen.
[link] https://sportal.uspto.gov/secure/portal/efs-unregistered
[/link] has information on the unregistered
On 10/2/09 02:23, Nelson B Bolyard wrote:
I'd post this in the policy working group, if that was operational ... :(
I also don't like this discussion about waiting for some perfect A-list
of tech. We've got the NNTP thing, we've got the ordinary mail, what
are we waiting on now?
On 10.02.2009 02:23, Nelson B Bolyard wrote:
I'd post this in the policy working group, if that was operational ... :(
Inf790af94-3997-43b6-a5aa-a4d79119c...@s1g2000prg.googlegroups.com
our esteemed Kathleen Wilsonkathleen95...@yahoo.com wrote:
According to
On 02/10/2009 02:30 PM, Ben Bucksch:
Are you fearing that you are on holiday during that time and can't have
your voice?
We should recommend that people which have reviewed the CAs in question
say so after the comments period. Otherwise we don't know that somebody
at least took a look. For
On 02/10/2009 02:15 PM, Ian G:
I also don't like this discussion about waiting for some perfect A-list
of tech. We've got the NNTP thing, we've got the ordinary mail, what are
we waiting on now? google-phone? twitter?
Even though I don't care about google groups either (and google can
fetch
On 10/2/09 14:16, Eddy Nigg wrote:
On 02/10/2009 02:15 PM, Ian G:
I think -- personal likely biased opinion only -- you might get more
value by looking inside the foundation and asking them to expand the
resources available on the CA desk. Their job is to be independent, and
so far, that's
Le 9 févr. 09 à 20:54, Eddy Nigg a écrit :On 02/09/2009 09:35 PM,kathleen95...@yahoo.com:Of course. I will await your next post to this discussion.Just browsing through the various documents and I noticed the following so far.It seems to me that the code signing bit *should not* be activated, it
On 2/10/2009 6:25 AM, Yannick LEPLARD wrote:
Le 9 févr. 09 à 20:54, Eddy Nigg a écrit :
On 02/09/2009 09:35 PM, kathleen95...@yahoo.com
mailto:kathleen95...@yahoo.com:
Of course. I will await your next post to this discussion.
Just browsing through the various documents and I noticed
On 02/10/2009 04:25 PM, Yannick LEPLARD:
The initial comment was written on august 2008, and now we have code signing
certificates, and it appears in our CP/CPS.
To my understanding the audit wasn't performed with those changes.
Yes it is not defined in our CP but in our internal
On 10/2/09 16:42, :
The initial comment was written on august 2008, and now we have code
signing
certificates, and it appears in our CP/CPS.
To my understanding the audit wasn't performed with those changes.
In general terms, and without commenting at all on the current case,
here are a
We are at the same level than the DCSSI CA that was approved a few
days ago.
Each CA is looked at independently and each CA has its own CP/CPS,
audit etc.
I just wanted to explain that DCSSI is the french government CA,
and PRIS/RGS is the new highest level standard for french CAs.
You state . . . CPS are not published . . .
Repeatedly, the WebTrust Program for Certification Authorities
indicates that the CPS is PUBLISHED. This means it is made
available to
the public, to both those who have certificates and those who trust
those certificates. If you were audited in
Nelson B Bolyard wrote:
This is probably a policy question, but: are we willing to accept CAs
that use CRLs that we cannot parse?
I'd say no.
Does this CA also implement OCSP? Can we justify this on the grounds
that we do implement OCSP, and that OCSP will effectively displace CRLs
as the
On 02/10/2009 06:30 PM, Ian G:
a. Time. There is always some element of change between the last audit
and current practice. Audits are snapshots of the past not proofs over
the present nor future.
So far correct.
And, there is an expectation that audits are
repeated over time, the new guy
Nelson B Bolyard wrote:
While I do not wish in any way to question or reduce the value of
Kathleen's evaluation, I wonder if it is right for us to allow CA
applications to be approved in the absence of any real public discussion.
As Ben pointed out, there was opportunity for public discussion,
Nelson B Bolyard wrote:
Kyle Hamilton wrote
Hey, I just ran into the first application of client certificate
authentication requirement on a public US government website that I've
seen.
snip
I played with it a bit.
As far as I can tell, it is not doing SSL client authentication, per se',
at
Ian G wrote:
I think -- personal likely biased opinion only -- you might get more
value by looking inside the foundation and asking them to expand the
resources available on the CA desk.
Right now between Kathleen, myself, and Johnathan Nightingale (e.g., his
CAB Forum activities) we have
Michael Ströder wrote:
Nelson B Bolyard wrote:
snip
Does this CA also implement OCSP? Can we justify this on the grounds
that we do implement OCSP, and that OCSP will effectively displace CRLs
as the preferred revocation channel?
I'd say no. Use of OCSP should not be made mandantory.
I
PKI implementation is running well here in the Brazilian government. We have
laws and a national PKI (ICP-Brasil) already supporting digital signatures.
The next step is to officially implement a long-term digital signature
schema, based on RCF 3126.
I think that our government structure strongly
The client-side processing of digital signatures is the major problem, I
think. And the main barrier against the adoption of PKI. Key stores are far
from a standardization. CryptoAPI, CNG, Mozilla, JAVA KS, CSP, PKCS#11, etc.
Bruno de Paula Ribeiro
Analista de Sistemas
(11) 4501 1886
Certisign
Eddy Nigg wrote:
On 02/10/2009 04:25 PM, Yannick LEPLARD:
snip
RA operators must obtain guarantee than the e-mail address is owned by
the
requester.
It's difficult in fact to make such controls.
Email validation isn't too difficult to implement, however we have seen
various times that this
On 02/10/2009 10:19 PM, Frank Hecker:
Email validation isn't too difficult to implement, however we have
seen various times that this isn't done sufficiently or correctly.
Note that the official Mozilla policy doesn't attempt to dictate exactly
what mechanisms a CA uses to verify ownership of
On 02/10/2009 09:42 PM, Frank Hecker:
And in any case, I don't see people being as much concerned about having
more Mozilla-employed people involved, but as getting more community
feedback. And I don't have any good answers there because it depends on
having more people willing to volunteer
On Tue, Feb 10, 2009 at 11:52 AM, Frank Hecker
hec...@mozillafoundation.org wrote:
Speaking to Anders's point about provisioning, I think the largest
deployment of client certificates in the US government is probably the DoD
PKI implementation, where they solved the provisioning problem in a
On 2/10/2009 12:06 PM, Frank Hecker wrote:
Yannick LEPLARD wrote:
Unfortunately, CPS are not published (they described internal technical and
organizational measurements)
I acknowledge your comment that ETSI TS 102 042 does not require the CPS
to be published. However we depend on public
On 02/10/2009 10:06 PM, Frank Hecker:
If you cannot publish the CPS because it contains private information, I
suggest as an alternative that you provide some sort of official
Certigna document that summarizes the portions of the CPS that are of
most interest to us (i.e., those relating to
On 10/2/09 23:02, Eddy Nigg wrote:
On 02/10/2009 09:42 PM, Frank Hecker:
And in any case, I don't see people being as much concerned about having
more Mozilla-employed people involved, but as getting more community
feedback. And I don't have any good answers there because it depends on
having
That's a very good question. The most important part of the answer to
it would have to be: don't discount what they say.
However, I have a suggested strategy for reviewers: don't limit your
review to only those trust bits that are initially requested. This
way, if there is an amendment to the
Kyle Hamilton wrote:
I'm asking this because I think a template which includes a statement
of requirements would be an exceedingly good thing for people
undertaking reviews for Mozilla CA program inclusion -- and would open
up the process to people who have less interior working knowledge of a
Eddy Nigg wrote:
On 02/10/2009 10:06 PM, Frank Hecker:
If you cannot publish the CPS because it contains private information, I
suggest as an alternative that you provide some sort of official
Certigna document that summarizes the portions of the CPS that are of
most interest to us (i.e., those
Ian G wrote:
The policy says, we need published information, *eg* the CPS.
Not, CPS must be published.
Yes, exactly. We typically use the CPS and/or CP because almost all CAs
publish those documents; however there is no requirement that the
information published by the CA be in the form of
31 matches
Mail list logo
