Re: Certigna Root Inclusion Request Round 2

Many thanks to those of you who have participated in the discussions for this root inclusion request, and reviewed the information that has been provided. Certigna met the request from the first round of public discussion to post and translate the relevant portions of their CPS. During the discuss

Re: Certigna Root Inclusion Request Round 2

On 03/13/2009 07:34 PM, Kathleen Wilson: Certigna met our request to post and translate the relevant portions of their CPS. There has been very little resulting discussion. Are there still questions that need to be addressed in this public discussion phase? Or shall I move forward with making th

Re: Certigna Root Inclusion Request Round 2

Certigna met our request to post and translate the relevant portions of their CPS. There has been very little resulting discussion. Are there still questions that need to be addressed in this public discussion phase? Or shall I move forward with making the recommendation to approve this request? -

Re: Certigna Root Inclusion Request Round 2

Kyle Hamilton wrote, On 2009-03-10 14:14: > I second this motion, no objections. > > -Kyle H > > On Tue, Mar 10, 2009 at 10:48 AM, Kathleen Wilson > wrote: >>> are we planning to move the discussions of accepting CAs into the root >>> list over to the other list? I think that dev-security-polic

Re: Certigna Root Inclusion Request Round 2

I second this motion, no objections. -Kyle H On Tue, Mar 10, 2009 at 10:48 AM, Kathleen Wilson wrote: >> are we planning to move the discussions of accepting CAs into the root >> list over to the other list?  I think that dev-security-policy is going now? > > OK.  If no one objects, I will post

Re: Certigna Root Inclusion Request Round 2

> are we planning to move the discussions of accepting CAs into the root > list over to the other list?  I think that dev-security-policy is going now? OK. If no one objects, I will post all future root inclusion request discussions on mozilla.dev.security.policy instead of dev.tech.crypto. Kath

Re: Certigna Root Inclusion Request Round 2

On 10/3/09 09:22, Eddy Nigg wrote: On 03/03/2009 11:35 PM, kathleen95...@yahoo.com: Kathleen, are we planning to move the discussions of accepting CAs into the root list over to the other list? I think that dev-security-policy is going now? iang -- dev-tech-crypto mailing list dev-tech-cry

Re: Certigna Root Inclusion Request Round 2

On 03/03/2009 11:35 PM, kathleen95...@yahoo.com: The relevant, public portion of their CPS has been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364343 Translations of portions of this document have also been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi

Re: Certigna Root Inclusion Request Round 2

On Tue, Mar 3, 2009 at 1:35 PM, wrote: > Email:  CPS section 5.2.6 specifies the controls for applications for > the Certigna ID certificates. It says that in addition to verifying > the identity of the applicant, they check the email address as follows > as per the supplied translation: > “On le

Certigna Root Inclusion Request Round 2

Certigna has applied to add one new root CA certificate to the Mozilla root store. The first public discussion of this inclusion request can be found here: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/1eb7ad475c762788# Bug: https://bugzilla.mozilla.org/show_bug.cgi

Re: Certigna Root Inclusion Request

Le 14 févr. 09 à 15:09, Frank Hecker a écrit : Yannick LEPLARD wrote: Another alternative is to publish just those portions of the CPS that address the question of email verification, and have your auditor confirm to us that the section(s) in question are from the CPS that was referenced

Re: Certigna Root Inclusion Request

Yannick LEPLARD wrote: Another alternative is to publish just those portions of the CPS that address the question of email verification, and have your auditor confirm to us that the section(s) in question are from the CPS that was referenced in your audit. Frank This is a good alternative f

Re: Certigna Root Inclusion Request

kathleen95...@yahoo.com wrote: The summary of the action items resulting from this first public discussion is as follows. A publicly available document that is evaluated as part of the annual audit needs to be provided, and it must include information that satisfies section 7, parts a, b, and c

Re: Certigna Root Inclusion Request

The summary of the action items resulting from this first public discussion is as follows. A publicly available document that is evaluated as part of the annual audit needs to be provided, and it must include information that satisfies section 7, parts a, b, and c of the Mozilla CA Certificate Pol

Re: Certigna Root Inclusion Request

On 02/12/2009 05:13 PM, Yannick LEPLARD: This is a good alternative for us. If everybody agree with, we can send you the fair portion of CPS in english and our auditor will confirm you the genuineness of the document. In my opinion this would solve the problem. I would like to request that t

Re: Certigna Root Inclusion Request

Another alternative is to publish just those portions of the CPS that address the question of email verification, and have your auditor confirm to us that the section(s) in question are from the CPS that was referenced in your audit. Frank This is a good alternative for us. If everybody

Re: Certigna Root Inclusion Request

Eddy Nigg wrote: On 02/11/2009 07:19 PM, Yannick LEPLARD: So What should we do ? Should we ask our auditor a certified document about our practices for e-mail validation ? Yannick, what are the chances to publish the CPS? Please note that all CAs which have been included into Mozilla NSS duri

Re: Certigna Root Inclusion Request

On 02/12/2009 12:31 PM, Yannick LEPLARD: First of all, i would like to express my astonishment about the discussion phase. It sounds like Mozilla's discussion "how to evaluate the CAs / changes to do in the benchmarks " rather than a Certigna discussion. Yes, unfortunately we make the mistake a

Re: Certigna Root Inclusion Request

First of all, i would like to express my astonishment about the discussion phase. It sounds like Mozilla's discussion "how to evaluate the CAs / changes to do in the benchmarks " rather than a Certigna discussion. We asked for inclusion in Mozilla on 2007 (august). Mozilla agrees with ETSI 1

Re: Certigna Root Inclusion Request

On 02/12/2009 01:58 AM, Kyle Hamilton: ...and has thus been bullied and intimidated into accepting things into its root program that are analytically damaging to the PKI I believe - and that's another reason why I'm here, that this can be reversed and improved. It requires some work and we've

Re: Certigna Root Inclusion Request

On 12/2/09 01:17, Eddy Nigg wrote: On 02/12/2009 01:37 AM, Ian G: Audit does an audit context. The two are different. Don't mix them; most all audits are done according to defined audit criteria, such as WebTrust or ETSI or DRC. Yes, and Mozilla relies on them, period. Yes, it's just anot

Re: Certigna Root Inclusion Request

On 12/2/09 00:58, Kyle Hamilton wrote: A notary does not verify content, a notary verifies identity. Actually I meant a notary rather than a notary public, but the difference is moot. What we need is an opinion (hey! using your own terminology, Ian, that means AUDIT, and thus AUDITOR) that

Re: Certigna Root Inclusion Request

On 02/12/2009 01:37 AM, Ian G: I object. OK, then back to square one. All documents supplied to Mozilla is within a Mozilla context. Huuu? Audit does an audit context. The two are different. Don't mix them; most all audits are done according to defined audit criteria, such as WebTrust o

Re: Certigna Root Inclusion Request

A notary does not verify content, a notary verifies identity. What we need is an opinion (hey! using your own terminology, Ian, that means AUDIT, and thus AUDITOR) that the document substantially reflects the CP/CPS. If not an auditor, who would you suggest to do it, given that a notary isn't au

Re: Certigna Root Inclusion Request

On 11/2/09 21:29, Eddy Nigg wrote: On 02/11/2009 07:12 PM, David E. Ross: However, the last sentence should be modified to say: * All documents supplied as evidence should be publicly available and must be addressed in any audit. I don't have (don't want) an account to update the Wiki. I ag

Re: Certigna Root Inclusion Request

On 02/11/2009 07:19 PM, Yannick LEPLARD: So What should we do ? Should we ask our auditor a certified document about our practices for e-mail validation ? Yannick, what are the chances to publish the CPS? Please note that all CAs which have been included into Mozilla NSS during the last few ye

Re: Certigna Root Inclusion Request

On 02/11/2009 06:59 PM, David E. Ross: If the information is critical for determining whether a CA's root should be in the certificate store, then the document should be audited. In the case at hand, the issue is whether the root should be enabled for E-mail validation. Because that issue is

Re: Certigna Root Inclusion Request

On 02/11/2009 06:43 PM, Ian G: OK, I made some changes on the wiki and added these words: https://wiki.mozilla.org/CA:Recommended_Practices#Recommended_practices # (we rely on public documents only). # If you do not publish the CP/CPS (not recommended), you will need to publish an extract

Re: Certigna Root Inclusion Request

On 02/11/2009 07:12 PM, David E. Ross: However, the last sentence should be modified to say: * All documents supplied as evidence should be publicly available and must be addressed in any audit. I don't have (don't want) an account to update the Wiki. I agree on this definition. Is there an

Re: Certigna Root Inclusion Request

If the information is critical for determining whether a CA's root should be in the certificate store, then the document should be audited. In the case at hand, the issue is whether the root should be enabled for E-mail validation. Because that issue is addressed in the CPS, which we cannot s

Re: Certigna Root Inclusion Request

On 2/11/2009 8:43 AM, Ian G wrote: > On 11/2/09 05:20, Frank Hecker wrote: >> Ian G wrote: >>> The policy says, we need published information, *eg* the CPS. >>> >>> Not, "CPS must be published." >> Yes, exactly. We typically use the CPS and/or CP because almost all CAs >> publish those documents; h

Re: Certigna Root Inclusion Request

On 2/10/2009 8:16 PM, Frank Hecker wrote: > David E. Ross wrote: >> On 2/10/2009 12:06 PM, Frank Hecker wrote: >>> If you cannot publish the CPS because it contains private information, I >>> suggest as an alternative that you provide some sort of official >>> Certigna document that summarizes th

Re: Certigna Root Inclusion Request

On 11/2/09 05:20, Frank Hecker wrote: Ian G wrote: The policy says, we need published information, *eg* the CPS. Not, "CPS must be published." Yes, exactly. We typically use the CPS and/or CP because almost all CAs publish those documents; however there is no requirement that the information

Re: Certigna Root Inclusion Request

On 02/11/2009 04:12 PM, Frank Hecker: Yes in theory, but I'm not convinced that this is a real risk in practice. In the past we've had several cases where we've accepted public statements by CAs that went beyond what was in their CPS or CP. In some cases these were clarifications of CP/CPS langus

Re: Public CPS Requirement [Was: Certigna Root Inclusion Request]

On 11 fév, 05:16, Frank Hecker wrote: > Eddy Nigg wrote: > > On 02/10/2009 10:06 PM, Frank Hecker: > >> If you cannot publish the CPS because it contains private information, I > >> suggest as an alternative that you provide some sort of official > >>Certignadocument that summarizes the portions o

Re: Certigna Root Inclusion Request

Eddy Nigg wrote: Well no, than any CA can write whatever it feels in such a document which would be entirely non-binding and not audited. Yes in theory, but I'm not convinced that this is a real risk in practice. In the past we've had several cases where we've accepted public statements by CA

Re: Certigna Root Inclusion Request

On 02/11/2009 06:20 AM, Frank Hecker: Ian G wrote: The policy says, we need published information, *eg* the CPS. Not, "CPS must be published." Yes, exactly. We typically use the CPS and/or CP because almost all CAs publish those documents; however there is no requirement that the information

Re: Certigna Root Inclusion Request

On 02/11/2009 06:16 AM, Frank Hecker: My assumption was that if the material in the document was based on the CPS then it would have been covered in the audit, since presumably the audit was based on what was in the CPS. Well no, than any CA can write whatever it feels in such a document whi

Re: Certigna Root Inclusion Request

Ian G wrote: The policy says, we need published information, *eg* the CPS. Not, "CPS must be published." Yes, exactly. We typically use the CPS and/or CP because almost all CAs publish those documents; however there is no requirement that the information published by the CA be in the form of

Re: Certigna Root Inclusion Request

David E. Ross wrote: On 2/10/2009 12:06 PM, Frank Hecker wrote: If you cannot publish the CPS because it contains private information, I suggest as an alternative that you provide some sort of official Certigna document that summarizes the portions of the CPS that are of most interest to us (i

Re: Public CPS Requirement [Was: Certigna Root Inclusion Request]

Eddy Nigg wrote: On 02/10/2009 10:06 PM, Frank Hecker: If you cannot publish the CPS because it contains private information, I suggest as an alternative that you provide some sort of official Certigna document that summarizes the portions of the CPS that are of most interest to us (i.e., those

Re: Certigna Root Inclusion Request

On 10/2/09 21:06, Frank Hecker wrote: I acknowledge your comment that ETSI TS 102 042 does not require the CPS to be published. However we depend on public documents to document the exact claims that CAs make and whether these meet our policy requirement. So this causes a problem for us when we

Public CPS Requirement [Was: Certigna Root Inclusion Request]

On 02/10/2009 10:06 PM, Frank Hecker: If you cannot publish the CPS because it contains private information, I suggest as an alternative that you provide some sort of official Certigna document that summarizes the portions of the CPS that are of most interest to us (i.e., those relating to valida

Re: Certigna Root Inclusion Request

On 2/10/2009 12:06 PM, Frank Hecker wrote: > Yannick LEPLARD wrote: >> Unfortunately, CPS are not published (they described internal technical and >> organizational measurements) > > I acknowledge your comment that ETSI TS 102 042 does not require the CPS > to be published. However we depend on p

Re: Certigna Root Inclusion Request

On 02/10/2009 10:19 PM, Frank Hecker: Email validation isn't too difficult to implement, however we have seen various times that this isn't done sufficiently or correctly. Note that the official Mozilla policy doesn't attempt to dictate exactly what mechanisms a CA uses to verify ownership of e

Re: Certigna Root Inclusion Request

Eddy Nigg wrote: On 02/10/2009 04:25 PM, Yannick LEPLARD: RA operators must obtain guarantee than the e-mail address is owned by the requester. It's difficult in fact to make such controls. Email validation isn't too difficult to implement, however we have seen various times that this isn'

Re: Certigna Root Inclusion Request

Yannick LEPLARD wrote: Unfortunately, CPS are not published (they described internal technical and organizational measurements) I acknowledge your comment that ETSI TS 102 042 does not require the CPS to be published. However we depend on public documents to document the exact claims that CAs

Re: Certigna Root Inclusion Request

On 02/10/2009 06:30 PM, Ian G: a. Time. There is always some element of change between the last audit and current practice. Audits are "snapshots of the past" not proofs over the present nor future. So far correct. And, there is an expectation that audits are repeated over time, the new guy h

Re: Certigna Root Inclusion Request

You state ". . . CPS are not published . . . " Repeatedly, the "WebTrust Program for Certification Authorities" indicates that the CPS is PUBLISHED. This means it is made available to the public, to both those who have certificates and those who trust those certificates. If you were audited

Re: Certigna Root Inclusion Request

We are at the same level than the DCSSI CA that was approved a few days ago. Each CA is looked at independently and each CA has its own CP/CPS, audit etc. I just wanted to explain that DCSSI is the french government CA, and PRIS/RGS is the new highest level standard for french CAs.

Re: Certigna Root Inclusion Request

On 10/2/09 16:42, : The initial comment was written on august 2008, and now we have code signing certificates, and it appears in our CP/CPS. To my understanding the audit wasn't performed with those changes. In general terms, and without commenting at all on the current case, here are a few

Re: Certigna Root Inclusion Request

On 02/10/2009 04:25 PM, Yannick LEPLARD: The initial comment was written on august 2008, and now we have code signing certificates, and it appears in our CP/CPS. To my understanding the audit wasn't performed with those changes. Yes it is not defined in our CP but in our internal operationa

Re: Certigna Root Inclusion Request

On 2/10/2009 6:25 AM, Yannick LEPLARD wrote: > > Le 9 févr. 09 à 20:54, Eddy Nigg a écrit : > >> On 02/09/2009 09:35 PM, kathleen95...@yahoo.com >> : >>> Of course. I will await your next post to this discussion. >>> >> >> Just browsing through the various documen

Re: Certigna Root Inclusion Request

Le 9 févr. 09 à 20:54, Eddy Nigg a écrit :On 02/09/2009 09:35 PM, kathleen95...@yahoo.com:Of course. I will await your next post to this discussion.Just browsing through the various documents and I noticed the following so far.It seems to me that the code signing bit *should not* be activated, it s

Re: Certigna Root Inclusion Request

On 02/10/2009 03:14 AM, Nelson B Bolyard: Eddy Nigg wrote, On 2009-02-09 11:54: On 02/09/2009 09:35 PM, kathleen95...@yahoo.com: Of course. I will await your next post to this discussion. Just browsing through the various documents and I noticed the following so far. It seems to me that the

Re: Certigna Root Inclusion Request

Eddy Nigg wrote, On 2009-02-09 11:54: > On 02/09/2009 09:35 PM, kathleen95...@yahoo.com: >> Of course. I will await your next post to this discussion. >> > > Just browsing through the various documents and I noticed the following > so far. > > It seems to me that the code signing bit *should not

Re: Certigna Root Inclusion Request

On 02/09/2009 09:35 PM, kathleen95...@yahoo.com: Of course. I will await your next post to this discussion. Just browsing through the various documents and I noticed the following so far. It seems to me that the code signing bit *should not* be activated, it should be reflected in the "Pen

Re: Certigna Root Inclusion Request

Of course. I will await your next post to this discussion. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Certigna Root Inclusion Request

On 02/09/2009 08:38 PM, kathleen95...@yahoo.com: Certigna’s root inclusion request has been in public discussion for a week now. No issues or concerns about this request have been raised. According to https://wiki.mozilla.org/CA:How_to_apply “If there are no open issues or action items after the

Re: Certigna Root Inclusion Request

Certigna’s root inclusion request has been in public discussion for a week now. No issues or concerns about this request have been raised. According to https://wiki.mozilla.org/CA:How_to_apply “If there are no open issues or action items after the first discussion period, and there is general agre

Certigna Root Inclusion Request

As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule Certigna is the next request in the queue for public discussion. Certigna (a French CA for the European market) has applied to add one new root CA certificate to the Mozilla root store, as documented in the following bug: https://bugz