Hello, 2014년 3월 6일 목요일 오후 9시 12분 25초 UTC+9, Erwann Abalea 님의 말: > Bonjour Samuel, > > > > Le jeudi 6 mars 2014 10:37:30 UTC+1, spar...@gmail.com a écrit : > > > Let me start with the Webtrust audit the Crosscert got. > > > > > > The Webtrust audit Crosscert received is for the Verisign service they are > > offering. > > > > > > For your information, Crosscert is also a sub-CA of Verisign. However, two > > systems(KISA and Verisign) are seperately operated and the audit does not > > cover the area of KISA's certificates. This is Crosscert's business to > > operate Verisign service so KISA does not care about it as long as it does > > not effect KISA's certificates. > > > > So, "Crosscert" has at least 2 different CAs, one signed by VeriSign and > audited to be conformant with WebTrust (for CA/EV? which version?), the other > one signed by KISA and audited by KISA.
Yes, it is Webtrust for CA, not EV. > > This second audit doesn't satisfy the Mozilla criteria *at all*: independant > auditor, audit criteria among the accepted ones, and, reading the long > ticket, competent party. According to Mozilla's definition of independent party, KISA is independent organization from Sub-CAs(not employees nor director), also not compensated financially and also bounded by the law and government regulation to do the auditing. In what reason are you saying that we are not satisfied *at all*? have you gone through our act, decree and ordinance which lead to audit criteria and compared it with webtrust? at the bugzilla we already posted CPSs of the sub-CAs and under electronic signature act regulation article 13.5 KISA audits whether sub-CAs are operated as their CPS is published every year. > > > > > KISA is designated by law to do the actual auditing of CAs(for the KISA's > > certificates) and the audit criteria are all from the act, decree, > > ordinance and regulations from them(Korea Electronic Signature Act). I > > believe for several years what KISA was convincing Mozilla was that how > > KISA audits the sub-CAs and the Mozilla's request was KISA getting a > > Webtrust. Now we got a webtrust > > (https://cert.webtrust.org/ViewSeal?id=1622). > > > > But you got a Webtrust for a CA that isn't concerned by the request. > > > > > If you are requesting for the Sub-CAs Webtrust now, it will be very > > disappointing issue to delay the entire time-line we were expecting(since > > we were trying to include KISA certificate from 2006). > > > > A quick Google search for old versions of Mozilla Policy brings this link: > > http://www-archive.mozilla.org/projects/security/certs/policy/ > > This is the version 1.2 of the policy, dated 2008. It wasn't perfect, some > gray areas were present, but at least, in this policy, the "independant, > competent, criteria" principles were already written, and KISA didn't reply > to any of them. This isn't new. the point I am trying to make is that there was no mentioning from Mozilla (at the bugzilla) that we should reply to them. meaning we understood since there was no mentioning, we believed KISA's audit is accepted by Mozilla. > > > > >As you may or may not know every accredited CA in Korea is strictly ruled by > >the government.(that's why they are designated 'accredited').Any accident or > >security matter, Korean government will respond directly. > > > > And Mozilla policy doesn't take that into account. A CA can be covered by > several audits if necessary. I am not saying that we should be accepted just because we are controlled by the government. I am just saying the audit KISA is doing to the Sub-CA is clear as any other disclosed audits, since it is run by government(by law). criteria is from the act, decree, ordinance which is publicly disclosed and KISA will be questioned by national assembly and congressman if we do not perform our audit clearly. I don't see any reason why KISA's auditing is not acceptable. > > > > > And for your information, KISA's certificate is already included at MS IE, > > APLLE Safari, OPERA and also Android OS several years ago. > > > That's not an argument. > > > > And of course, Korea electronic signature act, decree, ordinance and > > regulations fulfill the Mozilla's requirements(I believe that's what we > > were trying to convince Mozilla through bugzilla ever since year 2006). > > > > I'm not convinced. The example certificates I've seen so far don't contain an > HTTP URL for a CRL, don't contain an OCSP URL, and contain a bad subject. At > least. You can see from the bugzilla that we are aware of this and changing them right now, if the issue above (about accepting KISA's audit) is solved, I assure you this can be handled right away. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
