Re: Certigna Root Inclusion Request

[Yannick LEPLARD]

Le 9 févr. 09 à 20:54, Eddy Nigg a écrit : On 02/09/2009 09:35 PM, kathleen95...@yahoo.com: Of course. I will await your next post to this discussion. Just browsing through the various documents and I noticed the following so far. It seems to me that the code signing bit *should not* be activated, it should be reflected in the "Pending" page as well. The initial comment was written on august 2008, and now we have code signing certificates, and it appears in our CP/CPS. Email validation seems to me ambiguous at least and apparently not defined in their CP/CPS. Neither is domain ownership/control validation defined as I understand. Yes it is not defined in our CP but in our internal operational processes and in our CPS too. Unfortunately, CPS are not published (they described internal technical and organizational measurements) RA operators must obtain guarantee than the e-mail address is owned by the requester. It's difficult in fact to make such controls. In practice the name of the requester must appear in the left part of the e-mail address... If not, RA operators are likely to get proof of possession (the request can be rejected in case of doubt). For employees it's easier : the name of the suscriber and domain name of the company can be easily checked. It's the same for domain ownership/control :  RA operators verify the names of owner, administrator... in databases (like whois). They visit the website to look at the content, and the request can be rejected if any doubt. Repeated requests for translating the relevant parts have not been complied. Comments in this respect (bug 393166, comment 15, d) ) have no relevance to the question asked and your questions in comment 13 have partly not been answered, in particular 2.d. Besides a general denial in regards of problematic practices, no details have been provided. - Our DV SSL certificates have maximum expiration time of 3 years in the future. - Software private keys are generated on the suscriber computer with a signed applet - When the suscriber is using a smartcard, the private key is generated onboard. In particular I couldn't find out for how long their certificates are valid and how S/MIME certificates are provided to the subscriber ("We send the certificate to the subscriber by mail"). - Certificates are valid 1, 2 or 3 years. - S/MIME certificates are provided to the suscriber by email (not mail, sorry). the suscriber must agree with the certificate and send a return receipt with certificate eacceptance. There is a signed applet for the suscriber to ask for a certificate, and to install the issued certificate. Overall I think there is very little information available about this CA (in English) and I'm hesitant to continue without a more thorough review of critical aspects. We are at the same level than the DCSSI CA that was approved a few days ago. On february 2009, the 5th, we obtain the compliance with PRIS/RGS for our CAs ( and our CP, CPS  are compliant with the exemplifications CP/CPS  of http://www.mozilla.org/projects/security/certs/pending/#DCSSI  ) ( cf : http://www.references.modernisation.gouv.fr/outil-de-suivi-des-qualification s-et-des-referencements-des-offres-de-certificats  ) Mr Bouchet from LSTI is the lead auditor mandated by the french government for the ETSI and PRIS/RGS audits. If case of doubt about our practices, you can obtain more informations from him His phone number is : +33 1 30 61 50 60 --  Regards Yannick LEPLARD Directeur R&D 20, allée de la râperie 59650 Villeneuve d'Ascq tél. : 03 20 79 24 09 fax. : 03 20 34 20 52 www.dhimyotis.fr Ce mail est signé électroniquement grâce à un certificat Certigna. Il a valeur légale. Pour plus d'informations, rendez-vous sur www.certigna.fr.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto