A few problems here: 1.) Please go to http://www.mozilla.org/projects/security/certs/pending/#id0x118b3bd8 and click on the first "Download/Install" link (for example https://www.a-trust.at/certs/A-Trust-Qual-01a.crt ). This is not a CA certificate! This is true for all the others as well...
2.) The links under section documents point to various CA policies and practices: http://www.a-trust.at/docs/cp http://www.a-trust.at/docs/cps But it seems to be impossible for me to establish a direct path between the requested roots in question to any of the CA policies. 3.) The same is true for the information provided by http://signatur.rtr.at/en/providers/providers/atrust.html . When examining the various entries I can't establish a connection between the *4* roots requested for inclusion. The CA certificates from that page and following pages and entries are signed by Telekom-Control-Kommission. The document http://www.a-trust.at/DOCS/CA-Hierarchy_v10.pdf doesn't help either... 4.) There are 19 different CA certificates on http://signatur.rtr.at/en/providers/providers/atrust.html some of them marked as active, about each one seem to have very different qualifications and minimum requirements! All of them are issued by Telekom-Control-Kommission. But when examining the issuer of https://www.a-trust.at/certs/A-Trust-Qual-01a.crt (a-sign-corporate-light-01) it says A-Trust-nQual-01. When checking the corresponding entry of a-sign-corporate-light at http://signatur.rtr.at/en/providers/providers/atrust.html it says something else (i.e. issued by Telekom-Control-Kommission). 5.) In the original bug at https://bugzilla.mozilla.org/show_bug.cgi?id=373746#c4 it says to be in compliance with ETSI TS 101 456 (this refers to the policy document only), but I can't find any audit requirements to that standard nor any audit confirmation whatsoever. More than that, the Austrian Signature Act doesn't require any either (as far as I could see). At the overview ( http://signatur.rtr.at/en/legal/overview.html ) and other pages one can read: /Die Aufnahme und Ausübung der Tätigkeit eines Zertifizierungsdiensteanbieters bedürfen keiner gesonderten Genehmigung. Der Anbieter muss die Aufnahme der Tätigkeit lediglich der Aufsichtsstelle anzeigen. Ein Anbieter, der sichere elektronische Signaturverfahren bereitstellt, kann sich aber vor der Aufnahme der Tätigkeit von der Aufsichtsstelle akkreditieren lassen./ Which freely translated means, that a CA in Austria doesn't require any special permission. A CA only has to notify the supervisor (assuming to be Telekom-Control-Kommission). Such a provider *can* be accredited by the supervisor (it's not a requirement). Maybe someone can shed some light about this? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
