Nelson Bolyard wrote:
Eddy Nigg (StartCom Ltd.) wrote:
The change I proposed concerning CA applications and submission of the
relevant documents would solve this issue entirely. In the meantime I
suggest for to always attach the audit papers to the bug.
Concerning the document SwissSign
The latest comments at the bug
https://bugzilla.mozilla.org/show_bug.cgi?id=343756#c45 answers and
clarifies the questions and issues which I raised. SwissSign intend to
reformulated the relevant parts of their CP/CPS to make it clearer next
time...
--
Regards
Signer: Eddy Nigg,
Eddy Nigg (StartCom Ltd.) wrote:
The change I proposed concerning CA applications and submission of the
relevant documents would solve this issue entirely. In the meantime I
suggest for to always attach the audit papers to the bug.
Concerning the document SwissSign provided I think it's
Nelson Bolyard wrote:
Does Mozilla accept documents, *received from the applicants* (the CAs),
that purport to be true copies of auditor's attestation documents, as
being true copies of such documents, without any further proof?
I don't think we've ever formulated a formal policy on this issue
Nelson Bolyard wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Again, I might have missed something here...if not I suggest that you or
me ask about clarification at the bug.
Eddy, please ask exactly those questions in the bug.
No further comments have been posted until now, so I went ahead
I've been reading most relevant CP/CPS published at
http://repository.swisssign.com/ and currently have a question
concerning domain ownership validation (or relevant authorization
rights) of the Gold and Sliver server certificates issued by SwissSign
which would satisfy the Mozilla CA policy
Frank Hecker wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Section 3.2.2 of the Gold CPS includes the following:
/DC= fields will only be accepted if a printout of the WHOIS entry for
the domain is included. The owner of the domain must approve the
request with a handwritten personal signature
Frank,
A policy question (or policy administration question):
Does Mozilla accept documents, *received from the applicants* (the CAs),
that purport to be true copies of auditor's attestation documents, as
being true copies of such documents, without any further proof?
That question applies to
Eddy Nigg (StartCom Ltd.) wrote:
Frank Hecker wrote:
If you have further questions please feel free to ask them in the bug;
I think Melanie Raemy of SwissSign is following the bug traffic but
not the newsgroup discussion.
Obviously I don't want to bother at the bug if unnecessary...so I
Eddy Nigg (StartCom Ltd.) wrote:
Could you please be so kind and provide me with the a URL or document of
the audit attestation of KPMG and what exactly it entails including
under which criteria the CA was audited?
The criteria were ETSI TS 101.456, as I believe I mentioned in the bug
Hi Frank,
I've visited that page you are pointing me obviously. However this page
also says:
The standards ETSI TS 101.456 (Europe) and ANSI X9.79 (USA, Canada)
*may* also serve *as a basis* for the certification of a Public Key
Infrastructure (PKI) respectively a Certification Service
Frank Hecker wrote:
Yes, the later would be my concern (ETSI TS 101.456 as the relevant
criteria according to the Mozilla CA policy as opposed to ZertES as
the criteria).
From our point of view it would be perfectly fine if the audit criteria
encompassed both ETSI TS 101.456 and
Eddy Nigg (StartCom Ltd.) wrote:
I've visited that page you are pointing me obviously. However this page
also says:
The standards ETSI TS 101.456 (Europe) and ANSI X9.79 (USA, Canada)
*may* also serve *as a basis* for the certification of a Public Key
Infrastructure (PKI) respectively a
Hi Frank,
Could you please be so kind and provide me with the a URL or document of
the audit attestation of KPMG and what exactly it entails including
under which criteria the CA was audited?
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL
Eddy Nigg (StartCom Ltd.) wrote:
Yes, I saw that under Certification Service Provider (CSP)...so if I
understand you correctly, the standards listed under this section were
the requirements used for the audit. In that case it's most likely that
they do have a document confirming that by
Hi Frank,
Frank Hecker wrote:
The Details SwissSignAG page seems pretty clear that ETSI TS 101.456
was (one of) the criteria used in the audit.
Yes, I saw that under Certification Service Provider (CSP)...so if I
understand you correctly, the standards listed under this section were
the
16 matches
Mail list logo