Per the CA schedule (for which I need to update dates), the next CA on
the list for public comment is SECOM Trust, which has applied to add a
new root CA certificate to the Mozilla root store and enable it for EV,
as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=394419
and in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#SECOM%20Trust
Note that SECOM Trust has one (non-EV) root already in the Mozilla root
list; this is for a new root created specifically for EV use.
Some quick comments regarding noteworthy points:
* Like some other CAs, SECOM Trust has cross-signed its EV root using
its existing root. However the plan is to EV-enable only the EV root,
leaving the existing root as is. This is consistent with the approach
we've taken in other cases, and as far as I know this should work fine
in terms of EV certificate recognition.
* SECOM Trust doesn't currently support OCSP. OCSP is not (yet)
mandatory for EV, so this is not an issue from a policy perspective.
IIRC this will not pose a technical problem either, as long as EV certs
issued by SECOM Trust don't have an AIA extension with OCSP URL.
* SECOM Trust had one caveat on their EV audit, having to do with their
not performing certain background checks on staff. As noted in Kathleen
Wilson's summary document (attached to the bug), this is apparently a
side-effect of Japanese laws and regulations, and not a substantive problem.
I suggest reading Kathleen's summary document to get an overview of this
request; thanks again to Kathleen for preparing these!
For this request and subsequent requests I'm going to adopt a suggestion
made by Eddy a little while back: Rather than having a two-week
discussion period divided into two phases, I'm going to have a single
one-week discussion period. After that week, if there are no outstanding
issues relating to the request then I am going to go ahead and
officially approve it.
However if there are outstanding issues that in my opinion are relevant,
then I'm going to postpone further consideration of the request. This
will allow time to try to get the issues resolved, after which we can
start a new public discussion period.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto