1.) We need general information about which verifications and audits RTR performs (if at all). This might affect all CA inclusion requests based on RTR as auditor. According to RTR and the Austrian Signature Act, merely registration (i.e. notification to RTR) doesn't have any meaning beyond that. This seems to be confirmed by https://bugzilla.mozilla.org/show_bug.cgi?id=348987#c16 :
"The audit by the RTR is done based on the notification submitted to the RTR. The data from this notification is available at the URL you quoted. Our last notification to the RTR which explicitly includes ETSI TS 102 042 conformance" See also below [#1] and [#2] 2.) At https://bugzilla.mozilla.org/show_bug.cgi?id=348987#c20 they claim: "it is stated in these documents that we are audited by the Control Authority according to ETSI 102 042." But when visiting http://www.signatur.rtr.at/en/providers/services/argedaten-globaltrust.html I notice the following: Accreditation? NO Qualified certificates? NO Secure electronic signatures? NO The relevant meaning can be viewed here: Accreditation: http://www.signatur.rtr.at/en/providers/properties/accredited.html Qualified certificates: http://www.signatur.rtr.at/en/providers/properties/qualified.html Secure electronic signatures: http://www.signatur.rtr.at/en/providers/properties/secure.html Specially read "Accreditation" and that the CAs in question do not apply to that! Additionally I couldn't find anywhere in the RTR papers any reference to ETSI audit or any other audit per se. However for this request it doesn't apply in any case, since it's marked as NO (nein). 3.) Also on http://www.signatur.rtr.at/en/providers/services/argedaten-globaltrust.html there is no "Certificate in the supervisory authorities directory" as in http://www.signatur.rtr.at/en/providers/services/argedaten-a-cert-advanced.html and the certificate signed by RTR can not be compared to the root in question. 4.) The CPS for the Globaltrust root (http://www.signatur.rtr.at/repository/csp-argedaten-cp-globaltrust-16-20070605-de.pdf) has no reference to intermediate CAs, but seems to issue directly from the root. Also http://www.signatur.rtr.at/en/providers/services/argedaten-globaltrust.html seems to refer only to end-user certificates and not intermediate CAs. Is there any reference in the CPS or policy concerning how the Intermediate CAs are handled, their structure and more? Please advice. [#1] http://signatur.rtr.at/en/legal/overview.html "Die Aufnahme und Ausübung der Tätigkeit eines Zertifizierungsdiensteanbieters bedürfen keiner gesonderten Genehmigung. Der Anbieter muss die Aufnahme der Tätigkeit lediglich der Aufsichtsstelle anzeigen. Ein Anbieter, der sichere elektronische Signaturverfahren bereitstellt, kann sich aber vor der Aufnahme der Tätigkeit von der Aufsichtsstelle akkreditieren lassen." Which freely translated means, that a CA in Austria doesn't require any special permission. A CA only has to notify the supervisor (assuming to be Telekom-Control-Kommission). Such a provider *can* be accredited by the supervisor (it's not a requirement). [#2] http://www.signatur.rtr.at/en/legal/sigg17.html The title of the page "§ 17 Freiwillige Akkreditierung" and following content explains that Accreditation is voluntary only. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 Gervase Markham wrote: > ARGE DATEN has applied to add some certs to the Mozilla root store, as > documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=348987 > and in the pending certificates list here: > http://www.mozilla.org/projects/security/certs/pending/ > > I have evaluated their request, as per the mozilla.org CA certificate > policy: > http://www.mozilla.org/projects/security/certs/policy/ > and plan to approve this request in two weeks time. If you have any > objections, or know of facts which might influence this decision, please > make them known before then. > > Gerv > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
