A representative from KISA responded at the bug with comment 64 https://bugzilla.mozilla.org/show_bug.cgi?id=335197#c64
"Beside some criteria that corrupts with KISA's certificate policy statement, Korea electronic signature act and etc, MIC audit criteria WebTrust audit criteria is satisfied. But this is just because KISA is a root CA organization. For example we don't have any RAs, but all our subordinate CAs satisfy the WebTrust audit criteria." After reviewing this bug, including the initial documents submitted and reading the statement at http://eng.mic.go.kr/eng/user.tdf?a=common.HtmlApp&c=1001&page=resources/resources_f_01.html&mc=E_04_06 I would prefer to have the auditor explicitly confirm to which audit criteria they were audited and have this statement signed by the auditor. I haven't read the CPS yet (part of it is Korean???) and still intend to do so... A few points here: 1.) Initially a very questionable msdoc document was submitted to the bug. 2.) The later supplied statement of the auditor is vague what the audit criteria concerns. 3.) The auditor refers to a "Electronic Signature Act" which isn't an accepted criteria by the Mozilla CA policy. ** ** Almost every country has an "Electronic Signature Act" or similar regulation these days. It's almost impossible to learn of each and every country the exact requirements which vary enormously from country to country. I know it because I've done so in the past for different CA inclusion requests. Part of these regulations had (and have) a direct impact, including outright non-compliance to the basic requirements of the Mozilla CA policy. Requests from such CAs must in my opinion first of all audited and confirmed explicit as such, to one of the accepted criterion. I believe that supporting regulations of each and every country is an almost impossible task. Also many times there are some umbrella CAs setup to support those regulations and by including them, it will include automatically a bunch of other CAs as well. I believe KISA is such a CA...?? I intend to invest some more time on this bug... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
