Dear Sándor, I have a couple of follow-up questions for Microsec.
There were some responses during the recent public discussion in which Microsec indicated it would update its CPS(es). When do you anticipate that this will occur? Also, it is also unclear from the quoted thread below whether such updates will include additions to section 1.5.2 as required by Section 4.9.3 of the Baseline Requirements. Could you please clarify if and when section 1.5.2 will be updated? Thanks. Sincerely yours, Ben Wilson Mozilla Root Program - BR section 4.9.3 requires CPS section 1.5.2 to contain instructions for reporting an issue such as key compromise to the CA. The Microsec CPS’ only state that questions related to the policy may be reported via the info in that section, and other email addresses (“highpriority...@e-szigno.hu”, “revoc...@e-szigno.hu") are found in other sections of some documents. Section 4.9.5 then states that revocation requests are only accepted at the address listed in section 1.2, but there is no email address in this section. The CPS of Microsec is structured according to the requirement of RFC3647. This also required by the CABF BR in section 2.2. According to RFC3647 the Section 1.5 is for the policy administration and section 1.5.2 defines the contact person who is responsible for maintaining the CPS. Section 4.9.3 of the CPS contains detailed information about the possibilities of revocation request submission. Section 1.3.1 contains the email addresses, where revocation request can be sent (mentioning section 1.2 is an editorial mistake, it will be corrected in the next version of the CPS). Section 4.9.3 contains also a subsection which describes the High-Priority Certificate Problem Report mechanism. More detailed information can be found on our website on the given link. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
