On 3/4/14, 11:38 AM, Kathleen Wilson wrote:
All,
I will appreciate your input on how to proceed with the KISA root
inclusion request.
All,
Thank you for your thoughtful and constructive input.
I believe that there is consensus on the following three points.
1) The KISA CA does not issue end-entity certificates for websites
(SSL/TSL), Code Signing, or email (S/MIME), so there is no need for
Mozilla to include the KISA root certificate.
2) LCAs are CAs who are licensed by KISA to operate in Korea, and they
issue certificates for websites, code signing, and/or email. LCAs should
apply for inclusion themselves and be audited annually according to
Mozilla's CA Certificate Policy. (sections 11 through 14 of
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/)
3) Mozilla's policy requires audits that incorporate certain audit
criteria, including the CA/Browser Forum's Baseline Requirements. KISA
may incorporate this audit criteria into their annual audits of their
LCAs, and demonstrate this audit criteria to Mozilla. Or the LCAs may
get another audit from another organization according to this audit
criteria.
Please let me know if I've missed anything.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
