Bonjour Samuel, Le jeudi 6 mars 2014 10:37:30 UTC+1, spar...@gmail.com a écrit : > Let me start with the Webtrust audit the Crosscert got. > > The Webtrust audit Crosscert received is for the Verisign service they are > offering. > > For your information, Crosscert is also a sub-CA of Verisign. However, two > systems(KISA and Verisign) are seperately operated and the audit does not > cover the area of KISA's certificates. This is Crosscert's business to > operate Verisign service so KISA does not care about it as long as it does > not effect KISA's certificates.
So, "Crosscert" has at least 2 different CAs, one signed by VeriSign and audited to be conformant with WebTrust (for CA/EV? which version?), the other one signed by KISA and audited by KISA. This second audit doesn't satisfy the Mozilla criteria *at all*: independant auditor, audit criteria among the accepted ones, and, reading the long ticket, competent party. > KISA is designated by law to do the actual auditing of CAs(for the KISA's > certificates) and the audit criteria are all from the act, decree, ordinance > and regulations from them(Korea Electronic Signature Act). I believe for > several years what KISA was convincing Mozilla was that how KISA audits the > sub-CAs and the Mozilla's request was KISA getting a Webtrust. Now we got a > webtrust (https://cert.webtrust.org/ViewSeal?id=1622). But you got a Webtrust for a CA that isn't concerned by the request. > If you are requesting for the Sub-CAs Webtrust now, it will be very > disappointing issue to delay the entire time-line we were expecting(since we > were trying to include KISA certificate from 2006). A quick Google search for old versions of Mozilla Policy brings this link: http://www-archive.mozilla.org/projects/security/certs/policy/ This is the version 1.2 of the policy, dated 2008. It wasn't perfect, some gray areas were present, but at least, in this policy, the "independant, competent, criteria" principles were already written, and KISA didn't reply to any of them. This isn't new. >As you may or may not know every accredited CA in Korea is strictly ruled by >the government.(that's why they are designated 'accredited').Any accident or >security matter, Korean government will respond directly. And Mozilla policy doesn't take that into account. A CA can be covered by several audits if necessary. > And for your information, KISA's certificate is already included at MS IE, > APLLE Safari, OPERA and also Android OS several years ago. That's not an argument. > And of course, Korea electronic signature act, decree, ordinance and > regulations fulfill the Mozilla's requirements(I believe that's what we were > trying to convince Mozilla through bugzilla ever since year 2006). I'm not convinced. The example certificates I've seen so far don't contain an HTTP URL for a CRL, don't contain an OCSP URL, and contain a bad subject. At least. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
