I started to review this inclusion request by reading parts of the German version of the CP and CPS, which I understand is the only legal document. The English version seems to be a draft only and perhaps not legally binding.
Nevertheless I read mostly the English version which is easier to understand. Similar to Kathleen's comment at https://bugzilla.mozilla.org/show_bug.cgi?id=378882#c46 I had difficulty to come to positive conclusion concerning their handling of sub ordination CAs and about the validation methods this CA requires. Some has been answered in the bug, however the CP/CPS is not clear at all in that respect and basically the concerns raised by Kathleen haven't been addressed. Subordinate CAs may be external to T-Systems and as I understand not part and covered by the audit performed by E&Y. Instead we are referred to "contractual obligations" without defining what those obligations are. Those obligations are not clearly defined anywhere as far as I could see. This is a problem which has been pointed out here previously and at http://wiki.mozilla.org/CA:Problematic_Practices Apparently subordinated CAs maintain their own sets of subordinated CA certificates - despite the illustrations and descriptions and comments telling us otherwise, or the term of root CAs is interpreted differently in the CPS and are actually subordinated CAs. Anyway, that's what I found out after visiting the suggested URL in comment 52 of bug 378882: https://www.pki.dfn.de/ I couldn't find any clear regulation in respect of the issuing and maintaining of subordinated CAs which are themselves subordinated to the T-Systems root. Validation of email addresses and domain names aren't clearly defined (or I might have simply missed the relevant sections). Instead CP/CPS of the subordinated CAs are governing and regulating those aspects according to comment https://bugzilla.mozilla.org/show_bug.cgi?id=378882#c52 and domain ownership is commented with: "Checking for the ownership of the domain is part of the legal process to come to a contract with those customers (It`s no big deal to examine the ownership of the domain via the responsible NIC)" The "legal processes" are nowhere defined as far as I could find in the CP/CPS nor are alternative minimum requirements concerning validations clearly published. I haven't seen any CP/CPS of sub CAs which regulates those aspects nor were they examined by Mozilla so far. Nor could I find how IP address handled, which domain names are acceptable or anything with relevance in that respect (hostnames, wild cards, IP addresses, FQDN etc). The same applies for email address verification. Neither have I found how identities and organizations are validated, which might be relevant for code signing certificates. My input is by no means conclusive and perhaps Kathleen or a representative of T-Systems can point me to the relevant sections of their CP/CPS. I reserve the right to raise additional questions during the comments period should I find anything which should be cleared before continuing. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
