On 4/6/15 2:06 PM, Kathleen Wilson wrote:
On 2/9/15 1:08 PM, Kathleen Wilson wrote:
Krajowa Izba Rozliczeniowa (KIR) S.A. has applied to include the "SZAFIR
ROOT CA" root certificate and enable all three trust bits.
The first discussion is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/aNbK4zw_Zb8/ekmVXYXvfQ4J
The action items resulting from the first discussion are listed here:
https://bugzilla.mozilla.org/show_bug.cgi?id=817994#c37
I have confirmed completion of the action items.
For your convenience, I will re-summarize the request below.
KIR S.A. is a private corporation in Poland which currently mainly
issues qualified certificates for general public and plans to issue
non-qualified certificates. KIR S.A. is an automated clearing house in
Poland and its core business is clearings, and has built numerous
business relationships within banking sector. Therefore, KIR S.A is
aiming to expand its sales in services such as SSL and VPN certificates.
KIR S.A has another line of products called PayByNet, and has created a
vast network of relationships within online stores that KIR S.A can
leverage to create customer base for trusted non-qualified certificates.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=817994
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8559351
Noteworthy points:
* The primary documents, the CP and CPS, are provided in both English
and Polish.
Document Repository:
http://eng.elektronicznypodpis.pl/en/information/documents-and-agreements
CPS:
http://www.elektronicznypodpis.pl/files/doc/certification_practice_statement.pdf
CP: http://elektronicznypodpis.pl/files/doc/certification_policy.pdf
* CA Hierarchy: There is currently one internally-operated
subordinate-CA which issues 6 types of end-user certificates:
- Standard certificate - For protection of information sent
electronically, using mainly e-mail, for authorizing access to systems,
customer authentication in SSL connections. It allows signing and
encrypting data in an electronic form and authenticating subscribers.
- Code signing certificate
- VPN certificate
- SSL certificate
- Test certificate - For testing co-operation of the certificate with
solutions used or developed by a recipient of certification services or
a subscriber.
- ELIXIR certificate - This kind of certificates are issued only for
Participants of ELIXIR and EuroELIXIR systems. Will start to issue all
Elixir certs including the EKU extension with value id-kp-clientAuth
from the 15th of February. Will update CPS to reflect this.
* The request is to enable all three trust bits.
Thanks to all of you who have contributed to this discussion.
Note that their 2015 audit statement has been provided:
https://cert.webtrust.org/SealFile?seal=1845&file=pdf
I believe that all of the questions and concerns that were raised
regarding this root inclusion request have been resolved. Please reply
if you think I've missed anything.
Otherwise, I will move forward with closing this discussion and
recommending approval in the bug.
Thanks,
Kathleen
Thanks again to everyone who participated in this discussion.
I am now closing this discussion and will recommend approval in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=817994
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
