On 2/10/2009 6:25 AM, Yannick LEPLARD wrote: > > Le 9 févr. 09 à 20:54, Eddy Nigg a écrit : > >> On 02/09/2009 09:35 PM, kathleen95...@yahoo.com >> <mailto:kathleen95...@yahoo.com>: >>> Of course. I will await your next post to this discussion. >>> >> >> Just browsing through the various documents and I noticed the following so >> far. >> >> It seems to me that the code signing bit *should not* be activated, it >> should >> be reflected in the "Pending" page as well. > > The initial comment was written on august 2008, and now we have code signing > certificates, and it appears in our CP/CPS. > >> >> >> Email validation seems to me ambiguous at least and apparently not defined >> in >> their CP/CPS. Neither is domain ownership/control validation defined as I >> understand. > > Yes it is not defined in our CP but in our internal operational processes > and in our CPS too. > Unfortunately, CPS are not published (they described internal technical and > organizational measurements) > RA operators must obtain guarantee than the e-mail address is owned by the > requester. > It's difficult in fact to make such controls. In practice the name of the > requester must appear in the left part of the e-mail address... If not, RA > operators are likely to get proof of possession (the request can be rejected > in case of doubt). For employees it's easier : the name of the suscriber and > domain name of the company can be easily checked. > > It's the same for domain ownership/control : > RA operators verify the names of owner, administrator... in databases (like > whois). > They visit the website to look at the content, and the request can be > rejected > if any doubt. > >> >> >> Repeated requests for translating the relevant parts have not been complied. >> Comments in this respect (bug 393166, comment 15, d) ) have no relevance to >> the question asked and your questions in comment 13 have partly not been >> answered, in particular 2.d. Besides a general denial in regards of >> problematic practices, no details have been provided. > > - Our DV SSL certificates have maximum expiration time of 3 years in the > future. > > - Software private keys are generated on the suscriber computer with a > signed applet > - When the suscriber is using a smartcard, the private key is generated > onboard. > > >> In particular I couldn't find out for how long their certificates are valid >> and how S/MIME certificates are provided to the subscriber ("We send the >> certificate to the subscriber by mail"). > > - Certificates are valid 1, 2 or 3 years. > > - S/MIME certificates are provided to the suscriber by email (not mail, > sorry). the suscriber must agree with the certificate and send a return > receipt with certificate eacceptance. > There is a signed applet for the suscriber to ask for a certificate, and to > install the issued certificate. > >> >> >> Overall I think there is very little information available about this CA (in >> English) and I'm hesitant to continue without a more thorough review of >> critical aspects. > > We are at the same level than the DCSSI CA that was approved a few days ago. > On february 2009, the 5th, we obtain the compliance with PRIS/RGS for our > CAs ( and our CP, CPS are compliant with the exemplifications CP/CPS of > http://www.mozilla.org/projects/security/certs/pending/#DCSSI > ) > > ( cf : > http://www.references.modernisation.gouv.fr/outil-de-suivi-des-qualification > s-et-des-referencements-des-offres-de-certificats > ) > > > Mr Bouchet from LSTI is the lead auditor mandated by the french government > for > the ETSI and PRIS/RGS audits. > If case of doubt about our practices, you can obtain more informations from > him > His phone number is : +33 1 30 61 50 60
You state ". . . CPS are not published . . . " Repeatedly, the "WebTrust Program for Certification Authorities" indicates that the CPS is PUBLISHED. This means it is made available to the public, to both those who have certificates and those who trust those certificates. If you were audited in conformance with WebTrust criteria, how did you pass the audit without publishing your CPS? -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
