Greetings, I have reviewed your second BR self-assessment (https://bugzilla.mozilla.org/attachment.cgi?id=8860627) against your updated CP/CPS (CP V1.6, CPS V4.5, EV CP V1.4, and EV CPS V1.5) and provided the following comments and/or recommendations.
1. BR Section 3.2.2.5 Authentication for an IP: Per your comments please make sure your CPS states “GDCA does not issue EV certificate for an IP address.” 2. BR Section 3.2.2.7 Data Source Accuracy: I recommend adding the specific length of time data is relied upon (i.e. 39 months or 825 days per BRs) to section 3.2.11 of your CPS. 3. BR Section 3.2.2.7 Data Source Accuracy: I recommend adding the specific length of time data is relied upon (i.e. 39 months or 825 days per BRs) to section 3.2.7 of your EV CPS. 4. BR Section 3.2.3 Authentication of Individual Identity: I do not see in the CPS/CP where the differences in authentication of individuals is backed up by the appropriate technical constraining of the type of certificate issued. 4.1. Your comments for Type I and Type II Individual Certificates state they “are only for ordinary signing certificates, not for SSL certificates and code signing certificates” but I can’t find in the CPS where this is substantiated. I recommend clearly documenting in the CPS how each type of certificate is technically constrained (i.e. Key Usage, Enhanced Key Usage, etc.) and in CPS section 1.3.7.1 removing the words “but not limited to”. 4.2. For Type III certificates change the word “can” to “must”. (i.e. This must be validated by ID card, officer card or other valid document issued by government agency.” 5. BR Section 3.2.5 Validation of Authority: Per your comments please make sure this is clearly defined in the next version of your CPS. 6. BR Section 3.2.6 Criteria for Interoperation or Certification. Per your comments please make sure the next version of your CPS states you do not issue any cross certificates. 7. BR Section 4.2.1 Performing Identification and Authentication Functions. Per your comments please make sure the next version of your CPS states you do not rely on data older than 27 months (or 39 months or 825 days per BRs). 8. BR Section 4.2.2 Approval or Rejection of Certificate Applications: Per your comments please make sure the next version of your CPS states GDCA does not issue certificates containing a new gTLD under consideration by ICANN. 9. BR Section 4.3.1 CA Actions during Certificate Issuance: Per your comments please make sure the next version of your CPS states “Certificate issuance by the Root CA SHALL require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation.” 10. BR Section 4.5.1 Subscriber private key and certificate usage: Per your comments please make sure the next version of your CPS details the use of SSL certificates per #4 (Use of Certificate) as described in BR Section 9.6.3. Subscriber Representations and Warranties. 11. BR Section 4.9.13 Circumstances for Suspension: Per your comments please make sure the next version of your CPS states certificate suspension is not allowed. 12. BR Section 4.10.1 Operational Characteristics: Per your comments please make sure the next version of your CPS states “Revocation entries on a CRL or OCSP Response will not be removed until after the Expiry Date of the revoked Certificate”. 13. BR Section 4.10.2 Service Availability: Per your comments please make sure the next version of your CPS states “the service response time shall be less than 10 seconds”. 14. Based on your self assessment comments in BR sections 1 – 4, I submit it would be useful for you to revisit your assessment of BR sections 5 (MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS) through section 9 (OTHER BUSINESS AND LEGAL MATTERS) and update your BR Assessment. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy