Greetings, I have reviewed your second BR self-assessment
(https://bugzilla.mozilla.org/attachment.cgi?id=8860627) against your updated
CP/CPS (CP V1.6, CPS V4.5, EV CP V1.4, and EV CPS V1.5) and provided the
following comments and/or recommendations.
1. BR Section 3.2.2.5 Authentication for an IP: Per your comments please make
sure your CPS states “GDCA does not issue EV certificate for an IP address.”
2. BR Section 3.2.2.7 Data Source Accuracy: I recommend adding the specific
length of time data is relied upon (i.e. 39 months or 825 days per BRs) to
section 3.2.11 of your CPS.
3. BR Section 3.2.2.7 Data Source Accuracy: I recommend adding the specific
length of time data is relied upon (i.e. 39 months or 825 days per BRs) to
section 3.2.7 of your EV CPS.
4. BR Section 3.2.3 Authentication of Individual Identity: I do not see in the
CPS/CP where the differences in authentication of individuals is backed up by
the appropriate technical constraining of the type of certificate issued.
4.1. Your comments for Type I and Type II Individual Certificates state they
“are only for ordinary signing certificates, not for SSL certificates and code
signing certificates” but I can’t find in the CPS where this is substantiated.
I recommend clearly documenting in the CPS how each type of certificate is
technically constrained (i.e. Key Usage, Enhanced Key Usage, etc.) and in CPS
section 1.3.7.1 removing the words “but not limited to”.
4.2. For Type III certificates change the word “can” to “must”. (i.e. This
must be validated by ID card, officer card or other valid document issued by
government agency.”
5. BR Section 3.2.5 Validation of Authority: Per your comments please make sure
this is clearly defined in the next version of your CPS.
6. BR Section 3.2.6 Criteria for Interoperation or Certification. Per your
comments please make sure the next version of your CPS states you do not issue
any cross certificates.
7. BR Section 4.2.1 Performing Identification and Authentication Functions. Per
your comments please make sure the next version of your CPS states you do not
rely on data older than 27 months (or 39 months or 825 days per BRs).
8. BR Section 4.2.2 Approval or Rejection of Certificate Applications: Per your
comments please make sure the next version of your CPS states GDCA does not
issue certificates containing a new gTLD under consideration by ICANN.
9. BR Section 4.3.1 CA Actions during Certificate Issuance: Per your comments
please make sure the next version of your CPS states “Certificate issuance by
the Root CA SHALL require an individual authorized by the CA (i.e. the CA
system operator, system officer, or PKI administrator) to deliberately issue a
direct command in order for the Root CA to perform a certificate signing
operation.”
10. BR Section 4.5.1 Subscriber private key and certificate usage: Per your
comments please make sure the next version of your CPS details the use of SSL
certificates per #4 (Use of Certificate) as described in BR Section 9.6.3.
Subscriber Representations and Warranties.
11. BR Section 4.9.13 Circumstances for Suspension: Per your comments please
make sure the next version of your CPS states certificate suspension is not
allowed.
12. BR Section 4.10.1 Operational Characteristics: Per your comments please
make sure the next version of your CPS states “Revocation entries on a CRL or
OCSP Response will not be removed until after the Expiry Date of the revoked
Certificate”.
13. BR Section 4.10.2 Service Availability: Per your comments please make sure
the next version of your CPS states “the service response time shall be less
than 10 seconds”.
14. Based on your self assessment comments in BR sections 1 – 4, I submit it
would be useful for you to revisit your assessment of BR sections 5
(MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS) through section 9 (OTHER
BUSINESS AND LEGAL MATTERS) and update your BR Assessment.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
