Frank Hecker: > Frank Hecker wrote: >> GlobalSign has submitted requests to include a replacement root >> certificate for an already-included root certificate (same public key, >> new expiry date) and to enable it and a second GlobalSign root for EV: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=406794 >> https://bugzilla.mozilla.org/show_bug.cgi?id=406796 > <snip> >> I think we now have all the information we need to start the first >> public comment period for this request, so I'm formally declaring it >> open. > > The first comment period is over, and I've made a preliminary decision > to approve these requests; see my comments in the above-referenced bugs. > The second (one-week) comment period is now open. > > Frank >
My apologies for tending somewhat late to this request. As the voice of the community :-) , here few points to notice: This is perhaps the first EV request which doesn't have an operating OCSP responder at this stage. The EV guidelines requires it only in 2010 however I haven't come across a CA which doesn't provide this service *and* issues EV. Not sure what GlobalSign deems as a secure manner to provide PKCS12 files (including private keys) mentioned in 1.9.6.9 of their CPS. This might fall under problematic practices which Nelson recently added to http://wiki.mozilla.org/CA:Problematic_Practices#Distributing_generated_private_keys_in_PKCS.2312_files Even though Frank mentioned it in the bug and referred to the "information checklist" and after examining the CPS (not too thorough however), I couldn't clearly find out about how exactly email (and domain ownership) are verified. It merely states that "Globalsign has the right to request proof of the ownership of the domain name or can ask the owner of the domain name to validate the request of the applicant". This seems somewhat vague to me. The same is true for email validation. GlobalSign however provides a limited liability of 100,000 Euro for invalid domain names, which should be incentive enough to actually do so in some way... ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
