Eddy Nigg wrote: > This is perhaps the first EV request which doesn't have an operating > OCSP responder at this stage. The EV guidelines requires it only in 2010 > however I haven't come across a CA which doesn't provide this service > *and* issues EV.
As Nelson notes, I don't think GlobalSign is the only one, though I can't think of others' names right at the moment. In any case, GlobalSign is planning to offer OCSP in the future, it's not a current requirement of the EV guidelines, and not a requirement of our policy either. So it doesn't affect approval of this request one way or the other. > Not sure what GlobalSign deems as a secure manner to provide PKCS12 > files (including private keys) mentioned in 1.9.6.9 of their CPS. I'll ask about this issue. > Even though Frank mentioned it in the bug and referred to the > "information checklist" and after examining the CPS (not too thorough > however), I couldn't clearly find out about how exactly email (and > domain ownership) are verified. It merely states that "Globalsign has > the right to request proof of the ownership of the domain name or can > ask the owner of the domain name to validate the request of the > applicant". This seems somewhat vague to me. The same is true for email > validation. GlobalSign however provides a limited liability of 100,000 > Euro for invalid domain names, which should be incentive enough to > actually do so in some way... ;-) GlobalSign has stated that they do in fact verify email account control using the typical mechanisms used by other CAs, and they will revise future versions of the CPS to state this more clearly. I too think they could have made this more clear up front, but I don't see a real issue here. Ditto re domain ownership. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
