Hi Arkadiusz, On 23/11/16 07:25, Arkadiusz Ławniczak wrote: > WoSign, as our Partner, is entitled to sell Asseco Data Systems > (Certum) products through its own distribution network. While > recently issued intermediate CAs certificates are dedicated to WoSign > as our reseller, so that WoSign can sell certificates under its own > brand, they (private keys and HSMs) remain under the exclusive > control of Certum. As you may see and as Richard ammended previously, > all certificates are being issued under Certum policy (as well as BR > policy). This means that the verification of each end-entity > certificate is implemented within the Certum's systems and > procedures. In addition, the entire infrastructure is under the > supervision of Certum.
Thank you for this statement, which (as Nick says) is reassuring, and explains all the relevant details. If Certum is doing the validation, and controls the private keys and HSMs, then I don't see that Mozilla has an objection to this business arrangement. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy