Le 9 févr. 09 à 20:54, Eddy Nigg a écrit :
The initial comment was written on august 2008, and now we have code signing certificates, and it appears in our CP/CPS.
Yes it is not defined in our CP but in our internal operational processes and in our CPS too. Unfortunately, CPS are not published (they described internal technical and organizational measurements) RA operators must obtain guarantee than the e-mail address is owned by the requester. It's difficult in fact to make such controls. In practice the name of the requester must appear in the left part of the e-mail address... If not, RA operators are likely to get proof of possession (the request can be rejected in case of doubt). For employees it's easier : the name of the suscriber and domain name of the company can be easily checked. It's the same for domain ownership/control : RA operators verify the names of owner, administrator... in databases (like whois). They visit the website to look at the content, and the request can be rejected if any doubt.
- Our DV SSL certificates have maximum expiration time of 3 years in the future.- Software private keys are generated on the suscriber computer with a signed applet - When the suscriber is using a smartcard, the private key is generated onboard.
- S/MIME certificates are provided to the suscriber by email (not mail, sorry). the suscriber must agree with the certificate and send a return receipt with certificate eacceptance. There is a signed applet for the suscriber to ask for a certificate, and to install the issued certificate.
We are at the same level than the DCSSI CA that was approved a few days ago. On february 2009, the 5th, we obtain the compliance with PRIS/RGS for our CAs ( and our CP, CPS are compliant with the exemplifications CP/CPS of http://www.mozilla.org/projects/security/certs/pending/#DCSSI ) ( cf : http://www.references.modernisation.gouv.fr/outil-de-suivi-des-qualification s-et-des-referencements-des-offres-de-certificats ) Mr Bouchet from LSTI is the lead auditor mandated by the french government for the ETSI and PRIS/RGS audits. If case of doubt about our practices, you can obtain more informations from him His phone number is : +33 1 30 61 50 60
Yannick LEPLARD Directeur R&D 20, allée de la râperie 59650 Villeneuve d'Ascq tél. : 03 20 79 24 09 fax. : 03 20 34 20 52 Ce mail est signé électroniquement grâce à un certificat Certigna. Il a valeur légale. Pour plus d'informations, rendez-vous sur www.certigna.fr. |
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto