Hi All, In this discussion of KISA CA, it seems to conclude that KISA root certificate should not be included in Mozilla trust list AND the subordinate CAs should apply for inclusion themselves. On the other hand, in the discussion regarding "Super CA", Mozilla seems to accept inclusion of "Super CA" by saying that their subordinate CAs must apply for inclusion of their own certificate until certain criteria are satisfied.
It is very confusing what position Mozilla will take. Does the subordinate CAs required to apply for inclusion themselves? It looks like that KISA CA is by definition also a "Super CA", isn't it? regards Man On 4/1/2014 6:26 AM, Kathleen Wilson wrote: > On 3/4/14, 11:38 AM, Kathleen Wilson wrote: >> All, >> >> I will appreciate your input on how to proceed with the KISA root >> inclusion request. >> > > > All, > > Thank you for your thoughtful and constructive input. > > I believe that there is consensus on the following three points. > > 1) The KISA CA does not issue end-entity certificates for websites > (SSL/TSL), Code Signing, or email (S/MIME), so there is no need for > Mozilla to include the KISA root certificate. > > 2) LCAs are CAs who are licensed by KISA to operate in Korea, and they > issue certificates for websites, code signing, and/or email. LCAs > should apply for inclusion themselves and be audited annually > according to Mozilla's CA Certificate Policy. (sections 11 through 14 > of > http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/) > > 3) Mozilla's policy requires audits that incorporate certain audit > criteria, including the CA/Browser Forum's Baseline Requirements. KISA > may incorporate this audit criteria into their annual audits of their > LCAs, and demonstrate this audit criteria to Mozilla. Or the LCAs may > get another audit from another organization according to this audit > criteria. > > Please let me know if I've missed anything. > > Thanks, > Kathleen > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
