On Monday, April 4, 2016 at 9:40:02 PM UTC+3, Andrew R. Whalley wrote: > It looks like https://fedir.comsign.co.il/test.html is trusted by OS X, > which for me meets the criteria for a Publicly‐Trusted Certificate. That > certificate was issued on 2nd Feb, so I presume the 90 day clock is ticking. > > >
Hello Andrew, According to your interpretation, there should be no Point-In-Time readiness audits at all. At the very first moment of submitting an inclusion request there must already be some test certificates issued in order to comply with the BR – and this is the case with the certificate for fedir.comsign.co.il that you mentioned. Does is mean that issuing any test certificate immediately makes the CA a production system and requires a period audit? Regarding the Inclusion in the Apple Root Certificate Program – whether or not a third party like Apple trusts this root is beside the point. This is not a correct interpretation of the term ‘issuing Publicly-Trusted Certificates’ as it is used by Mozilla. Citing from the Mozilla Wiki - CA:BaselineRequirements (https://wiki.mozilla.org/CA:BaselineRequirements): “if the root certificate is not yet in production and is not yet issuing certificates to customers, then a Point in Time Readiness Assessment of BR compliance (BR PITRA) may be used. In this case a BR PITRA prior to inclusion may be used, but the next annual audit after inclusion would need to be a full performance audit. Note: If the inclusion process spans more than one annual audit cycle, then more than one BR PITRA may be used, until the root certificate has been included or the root certificate is put into operation producing certificates for customers, whichever comes first.” This is exactly the case with the ‘Comsign Global Root CA’ inclusion process – the initial inclusion request was submitted on July 2011, and since then there have been many delays. Some of these delays were entirely out of Comsign’s control, such as a waiting queue for the public discussion which took about four months. Thanks, Eli Spitzer, Information security & System Management, Comsign _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
