Eddy Nigg (StartCom Ltd.) wrote:
> I think the question raised with that CA was also, if the audit covers
> the whole CA infrastructure, i.e. all different independent CAs
> operating under the KISA root. If I remember right, the CPS has no
> provision in that respect and the audit covers only KISA's operations
> itself.
I looked into this a while back. Auditing of the subordinate CAs
("licensed CAs" or LCAs) was/is mandated by the relevant Korean law and
regulations that set up KISA in the first place and established MIC
authority over it. KISA itself does the auditing of the LCAs, as
mandated by the law and regulations.
> If we would apply Microsoft's new criteria (not that this matters for us
> really) of having the audit covering the full CA infrastructure, this
> one wouldn't go through.
Actually, Microsoft has special provisions for audits of government CAs
(as I mentioned in a separate message). The audit requirements on
commercial CAs (item 7, "General Requirements") don't apply to
government CAs.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
