Frank Hecker wrote, On 2008-03-30 04:29: > Eddy Nigg (StartCom Ltd.) wrote: >> OK, so in that case KISA itself is becoming an auditor. Would KISA then >> issue audit reports about the various CAs in question? What would be the >> pros and cons of having each licensed CA approved instead of KISA as a >> "wild card" CA for a whole country? > > One major issue is that as a matter of policy we don't do inclusion of > certs for subordinate CAs; we just approve and include roots.
Let me make a subtle but (I think) important modification to that. We don't approve/include certs for CAs that are subordinate to an approved/included trust anchor. And that's because it's redundant. But I believe we have already decided, in principle, to approve certs for CAs that are subordinate to some root that is not approved, when the subordinate CA meets the criteria, but the root does not. The case where that arose was the request to approve the Austrian TKK root which (as I recall) was found to issue certs to subordinate CAs without ensuring that the subordinate CAs' practices met ANY particular standard.. But we agreed that some of the major Austrian CAs whose highest-level CAs' certs were signed by TKK (e.g. Arge Daten and A-Trust) *might* well qualify for inclusion by themselves, regardless of TKK's qualification. Today, the request for inclusion of one of those subordinate CAs (Arge Daten) is under consideration (bug 348987), even though it is subordinate to TKK. I think the same situation might very well occur for CAs in nations like South Korea. There is a small number (single digit) of CAs approved by KISA. So, even if (say) KISA itself does not meet our criteria, due to some concern about its audits, the CAs whose certs it has signed might very well meet our criteria and be admissible as trust anchors (albeit not "roots") in their own right. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
