On 02/10/2009 04:25 PM, Yannick LEPLARD:
The initial comment was written on august 2008, and now we have code signing certificates, and it appears in our CP/CPS.
To my understanding the audit wasn't performed with those changes.
Yes it is not defined in our CP but in our internal operational processes and in our CPS too. Unfortunately, CPS are not published (they described internal technical and organizational measurements)
This must be stated in the CPS and publicly disclosed. I'm sorry, but in my opinion this is insufficient and will most likely not work.
RA operators must obtain guarantee than the e-mail address is owned by the requester. It's difficult in fact to make such controls.
Email validation isn't too difficult to implement, however we have seen various times that this isn't done sufficiently or correctly.
- Software private keys are generated on the suscriber computer with a signed applet
This is interesting! Can you provide us some more information about this applet? Can I test it somewhere?
We are at the same level than the DCSSI CA that was approved a few days ago.
Each CA is looked at independently and each CA has its own CP/CPS, audit etc.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
