All, My apologies for taking so long to get back to this discussion about the Government of Taiwan's (GRCA's) request to include their Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits.
Note that GRCA has suggested that this root be constrained to *.tw. To my knowledge, the questions and concerns raised about this request have been resolved. In particular: 1) There are several intermediate certificates that are technically capable of issuing TLS certificates, but have not been audited according to the BRs. We have resolved this particular situation in the past by having the CA get an audit statement saying that the intermediate certificate has not issued TLS certificates during the audit period. And requiring that the CA get such an audit statement annually. GRCA has provided the requested audit statement: https://www.google.com/url?q=https%3A%2F%2Fbug1065896.bmoattachments.org%2Fattachment.cgi%3Fid%3D8835815&sa=D&sntz=1&usg=AFQjCNH9syh0sbLxMj35bdC1TDeQslx32w 2) The new root certificate has the same exact full distinguished name as the old root certificate. My recommendation is that we allow it this time, but not for future root certs from this CA. So, if there are no further questions or comments about this CA's request, then I will close this discussion and recommend approval in the bug. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy