Thank you to those of you who have reviewed this request and contributed to the discussion. Your time and commitment to this process is greatly appreciated!
To summarize this discussion, there were three areas that were of primary interest. They were: 1) Inclusion of a root that expires in a year and half * The recommendation will be to not include the TC TrustCenter Class 1 CA root, which will be phased out before the end of 2010. 2) Questions about the Class 0 certificates that are part of the CPS. These questions were answered. 3) Questions about the externally-operated subordinate CAs. Information was provided and clarified. There is an externally- operated subordinate CA chaining to the TC TrustCenter Class 2 CA II root, which is used to issue device certificates and email certificates for internal use only. The device name and the email address belong to a company internal domain, so the ownership is guaranteed. It is requested that TC TrustCenter do the following two action items before signing future externally-operated subordinate CAs: 1) Add statements in the TC TrustCenter CP/CPS and in the relevant sub- CA CP/CPS that require that the sub-CA CP/CPS be published when the sub-CA is allowed to issue certificates outside of their company/ organization. 2) Audit the externally-operated sub-CAs against the same criteria as the TC TrustCenter CAs annually. Consider including the externally- operated sub-CAs in the annual audit that a third-party performs against the TC TrustCenter CAs. This concludes the public discussion for TC TrustCenter’s request to add four root CA certificates to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=392024 I will update the bug to summarize the request and recommend that Mozilla approve inclusion of three roots: TC TrustCenter Class 2 CA II, TC TrustCenter Class 3 CA II, and TC TrustCenter Universal CA I. Thanks, Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
