On 11/04/17 16:23, Ryan Sleevi wrote: > The audits mention the CP/CPS has been evaluated as part of the scope of > the audit.
Yep, OK. > The CP/CPS mentions the issuance of TLS certificates as part of the > hierarchy. For example, > > "E-Sign provides its services in accordance with its Certificate Policy and > Certification Practices Statement" E-Sign's CPS URL is given in its audit statement as: https://www.e-sign.cl/uploads/cps_esign_388.pdf Grepping that document for "TLS" gives no hits. Can you help me some more? E-sign appear to be a Symantec SSL reseller: https://www.e-sign.cl/soluciones/seguridad but of course, I'm sure many companies are, and that's not necessarily a problem. MSC Trustgate's audit statement gives no CPS URL. https://cert.webtrust.org/SealFile?seal=2127&file=pdf However, it certainly appears to be true that this company offers a "Managed PKI for SSL" product: https://www.msctrustgate.com/pdf/ManagedPKIforSSL_Agreement.pdf and that they offer "VeriSign Class 3 organizational SSL Certificate"s, and lets organizations apply for RA status within the Verisign Trust Network. The modification date of that document according to the webserver is 15th March 2012. https://www.msctrustgate.com/product/ssl_id.htm also shows this. They also have a Subscriber Agreement for SSL certificates: https://www.msctrustgate.com/pdf/Class%203%20Organizational%20Certificate%20latest%20pdf.pdf which are also "Symantec Class 3 organizational SSL Certificate"s. The "Buy", "Renew" etc. links on the front page of https://www.msctrustgate.com/ for SSL certs are all 404. According to archive.org, they may have been that way for some time. Odd... Steve? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy