On Monday, April 4, 2016 at 9:40:02 PM UTC+3, Andrew R. Whalley wrote:
> It looks like https://fedir.comsign.co.il/test.html is trusted by OS X,
> which for me meets the criteria for a Publicly‐Trusted Certificate.  That
> certificate was issued on 2nd Feb, so I presume the 90 day clock is ticking.
> 
> >

Hello Andrew,

According to your interpretation, there should be no Point-In-Time readiness 
audits at all. At the very first moment of submitting an inclusion request 
there must already be some test certificates issued in order to comply with the 
BR – and this is the case with the certificate for fedir.comsign.co.il that you 
mentioned. Does is mean that issuing any test certificate immediately makes the 
CA a production system and requires a period audit?

Regarding the Inclusion in the Apple Root Certificate Program – whether or not 
a third party like Apple trusts this root is beside the point. This is not a 
correct interpretation of the term ‘issuing Publicly-Trusted Certificates’ as 
it is used by Mozilla.
Citing from the Mozilla Wiki - CA:BaselineRequirements 
(https://wiki.mozilla.org/CA:BaselineRequirements):

“if the root certificate is not yet in production and is not yet issuing 
certificates to customers, then a Point in Time Readiness Assessment of BR 
compliance (BR PITRA) may be used. In this case a BR PITRA prior to inclusion 
may be used, but the next annual audit after inclusion would need to be a full 
performance audit. Note: If the inclusion process spans more than one annual 
audit cycle, then more than one BR PITRA may be used, until the root 
certificate has been included or the root certificate is put into operation 
producing certificates for customers, whichever comes first.”

This is exactly the case with the ‘Comsign Global Root CA’ inclusion process – 
the initial inclusion request was submitted on July 2011, and since then there 
have been many delays. Some of these delays were entirely out of Comsign’s 
control, such as a waiting queue for the public discussion which took about 
four months.

Thanks,

Eli Spitzer, Information security & System Management, Comsign

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to