Yair, > Re Section 3.4, you seem to assume the domain holder is a ComSign > > subscriber. In case of misissuance, that may not be true. > >>> I understand, for that we added on the CPS on section 3.4 the > following: > "For the handling of revocation requests by other than the Subscriber or > his/her representative, refer to Section 4.9 below." > > Could you please explain how section 4.9 resolves this concern? My understanding of section 4.9 of your CPS is that only the Subscriber or an authorized representative may request revocation.
> > >After reviewing the January Communication we have removed the > problematic > > > methods from our CPS entirely. > Thank you, this is a good change. However, it appears that you have made multiple modifications to your CPS without updating the version number or change log as required by Mozilla policy section 3.3. The latest version is dated January 31, 2018 but is still at version 4.1 as it was back in December. The software we are currently using is RSA CA 6.7 on Solaris. > As we mentioned we are now under audit on the new Microsoft CA and in the > process of moving to that software instead of our old software. > According to the link Ryan provided [1], this version lost extended support in July 2013. Is it correct that you have been using an unsupported version of CA system software for the past 4 1/2 years? Wayne [1] https://community.rsa.com/docs/DOC-73367 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
