On 10/07/2008 04:07 PM, István Zsolt BERTA: > As I read above, it currently does not pose a problem that there is an > OCSP URL in the AIA field of the certificate. If you think that this > shall become problematic in the future, we can modify the profile of > webserver certificates and remove the OCSP URL (as long as the OCSP is > not useful for the general public).
Yes, I think this is what should be done. OCSP responders are not a requirement currently (so I think it's highly suggested), but using the AIA extension makes the certificates unusable for any relying party which treats OCSP failures as an error. > >>> We had good reasons to choose this solution. According to Hungarian >>> regulations, a qualified CA is allowed to use its private key for the >>> following two purposes only: > >> You are not allowed to issue intermediate CA certificates then? Are you >> issuing directly from the CA root? > > The CA key used for signing qualified certificates can be used for > signing qualified end-user certificates and CRLs. This also means that > we cannot issue intermediate CA certificates with that particular key > and we cannot issue non-qualified certificates either. Well, I don't get it. Your diagram at http://srv.e-szigno.hu/menu/index.php?lap=english_ca_hierarchy shows clearly that you are issuing intermediate CA certificates from the root, but in the previous comment you claimed that the CA is only allowed to use * signing qualified end-user certificates and * signing CRLs. Does this apply to the intermediate CA certificates but not the CA root? > > We have a root, which does not issue end-user certificates, but issues > CA certificates for our own CAs only. Which root is that? I understand there is only one root up for inclusion... > >> What are the checks performed on code-signing certificates? > > 1. We verify the existence of the company which requests the code- > signing certificate using an online connection to the Hungarian > registry of businesses. > 2. We verify the existence of the documents (driving license, ID card > or passport) of the person who requests the code-signing certificate > on behalf of that particular company. We perform this verification > using an online connection to the Office of the Central Office for > Administrative and Electronic Public Services. > http://www.nyilvantarto.hu/kekkh/kozos/index.php?k=nyitolap_en&b=bal_eng > 3. Using a face-to-face registration (as the CP is NCP-based) we > verify the identity of the person who requested the certificate on > behalf of that company. This person has to meet our registration > officer and has to present the document (driving license, ID card or > passport) that was verified in step 2. > 4. We verify that this person has the authority to sign on behalf of > the company. We generally request a notarial deed (issued by a public > notary) as a proof. > Thanks for that! I still would like to read your CP/CPS in English (even if only machine translated). Is it somehow possible to facilitate that? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
