Rolf, thank you for your answers! On 03/31/2009 10:05 AM, Rolf Lindemann:
Regarding b) No, this does not necessarily apply to all sub CAs which might appear in the future. In the future we might also get customers which want to use such certificates externally. We'll add the requirement to publish the applicable CP/CPS in our root signing contract.
And perhaps add that requirement to your own CP/CPS too...
Regarding g) Our current requirements include an in-depth CP and CPS review and intense discussions of the procedures with our customers. There are no requirements for the external entities to undergo third party audits unless we decide that it is necessary. We have the right to impose this requirement already defined in our contract with the external entities.
Perhaps in the future they could be part of your ongoing audits instead of only auditing your controls? It would give the relying parties assurance that those CAs truly adhere to the same requirements as your CA is and were duly audited as part of your infrastructure.
As such, I recommend the inclusion of the requested roots TC TrustCenter Class 2 CA II, TC TrustCenter Class 3 CA II and TC TrustCenter Universal CA I. I recommend to not include TC TrustCenter Class 1 CA for the reasons stated previously.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
