This root inclusion request is currently in the public discussion phase [1]
After reviewing Taiwan GRCA's CP, CPS and related documents [2], I have the following comments: ==Good== 1. GRCA has requested that this root be constrained to issuing certificates for .tw domains. 2. The BR Self Assessment is very detailed and helpful. ==Meh== 1. This root is intended to replace an older root that has the exact same DN. Compatibility concerns were raised but testing performed by GRCA found no problems. 2. The CP doesn’t contain the ’dated changelog’ required under Mozilla policy section 3.3. 3. The audit reports don’t include the version numbers of CA policy documents referenced during the audit. 4. The WebTrust for CAs audit report doesn’t list all the subordinate CAs covered by the audit. They are listed in a supplemental statement provided by the auditor. 5. The CP/CPS docs are still in RFC 2527 format. 6. It is not clear how the policy for authenticating individual identity described in section 3.1.9 of the GCA CPS meets the requirements of BR 3.2.3 and 3.2.5. Please provide more detail. 7. In September it was reported that GRCA was signing OCSP responses with an unconstrained SHA-1 certificate: https://bugzilla.mozilla.org/show_bug.cgi?id=1397832 The issue has been fixed. 8. Procedures that fulfill Mozilla policy section 2.2(2) requirements for validating email addresses are not specified in any documents. ==Bad== 1. The application for inclusion states that only the GCA subordinate can issue SSL certificates, and this subordinate has its own CPS that lists SSL-specific policies such as CAA. The HCA subordinate also has a BR audit, but GRCA has stated that it is no longer used to issue SSL certificates. Should the HCA subordinate be added to OneCRL along with the other subordinates (XCA, MOICA, and MOECACA) that are not BR audited? 2. According to the audit supplement, the MOICA audit report is qualified due to ‘one issue related to system access management’, but the actual audit report is not written in English. Please describe the issue and how it was resolved. 3. The GCA CPS describes CAA policies, but GRCA’s issuer domain names are not listed as required by BR section 2.2. 4. GCA CPS section 3.1.12 describes the domain authorization process for SSL certificates, but it does not comply with Mozilla policy section 2.2(3). One of the recent updates to the application process [1] is a 3-week time period for public comments. I would like to apply that change to this inclusion request. Specifically, if GRCA has sufficiently answered the questions that I have raised above, and any other discussion on this list has reached a conclusion, then I will plan to close the discussion period on 10-Feb. - Wayne [1] https://wiki.mozilla.org/CA/Application_Process#Process_Overview [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1065896 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
