On 1/7/16 12:29 PM, Kathleen Wilson wrote:
Until such time that the provide this, I don't see how they are any
different from the thousands of private PKIs that are run by companies
for their own use. Many of those PKIs may be used to MITM
connections.
OK. I suppose that means I should go ahead and start the information
verification process for this request.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
All CAs should be held to the same standard when asking for admission
to the Mozilla program, this is no different.
That's very logical.
I was sort of hoping to avoid spending the time doing the Information
Verification if I didn't have to.
Thanks to all of you who are thoughtfully considering this ongoing
discussion about MiTM and Government CAs.
I did go ahead and start the Information Verification for the request to
include the Government of Kazakhstan's root certificate. The following
is copied from a comment I added to the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=1232689#c11
~~
(In reply to Kathleen Wilson from comment #6)
> Created attachment 8705877 [details]
> 1232689-CAInformation.pdf
>
> I have entered the information for this request into Salesforce.
>
> Please review the attached document to make sure it is accurate and
> complete, and comment in this bug to provide corrections and the
additional
> requested information (search for NEED in the attached document)
I would like to point out a few things...
1) The need for the Baseline Requirements (BR) audit is listed in the
attached CA Information document.
Completing a successful BR audit would mean that the auditor ensured the
CA meets the requirements for validating that the certificate subscriber
owns/controls the domain name(s) to be included in the certificate.
(i.e. a BR audit should fail if the CA issues MITM certificates)
Reference: https://cabforum.org/baseline-requirements-documents/
2) All documentation, including the audit statements must be public-facing.
3) This CA might be a super CA. If it is, then we would need to take the
approach described here:
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
"Some CAs sign the certificates of subordinate CAs to show that they
have been accredited or licensed by the signing CA. Such signing CAs are
called Super-CAs, and their subordinate CAs must apply for inclusion of
their own certificates..."
~~
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
