As Kathleen explained, KISA does not issue any end-entity certificate (no SSL cert, no client cert issued by KISA). KISA issues only 5 CA certificates and no more.
Perhaps WebTrust criteria have not envisaged this kind of 'Super CA', whose role is merely administrative and somewhat 'abstract'. It is true that KISA was audited regarding certificate issuance, renewal, revocation, distribution, etc. But it was with regard to "only 5 certificates" issued and maintained by KISA. KISA is not a CA in the usual sense. A sensible approach would be that each LCA (who is a real CA issuing end entity certificates) should be audited according to the standard satisfactory to Mozilla before it is trusted by Mozilla. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy