On Nov 18, 2:54 am, Eddy Nigg <[EMAIL PROTECTED]> wrote: > On 11/14/2008 11:12 PM, Frank Hecker: > >...in the short term I'm going to try to restart CA public
> In this particular case I think that the practice in question doesn't > meet the requirements of the Mozilla CA policy. This includes in > particular section 6 and 7 of the Mozilla CA Policy. > I believe that WISeKey's practices and polices do meet the requirements of section 6 and 7 of Mozilla's CA policy, and a review of the posted documentation and audit guidelines in the report should confirm that. WISeKey has made some changes to its practices, since the last public discussion period. BlackBox Subordinate CAs are restricted to issue certificates for domains that are owned by the company that is responsible for them, quite unlike the typical root signing done by other companies. BlackBox subordinate CAs are also audited onsite at least once annually. > > > WISeKey has been through an initial comment period a while back, during > > which we got nvolved in a lengthy discussion about WISeKey's Blackbox > > product (a "CA in a box" product intended for enterprise deployment) and > > whether and how auditing was done for WISeKey's subordinate CAs > > associated with that product. WISeKey supplied more information about > > their arrangements, which you can find in the bug. > > Frank, I greatly missed the thorough and systematic work of Kathleen in > this bug and it's a pity she didn't perform another round of > "information gathering" in case some new evidence was provided. Anyhow, > I couldn't find anything new in the bug since the last time. I'm not > sure what is supposed to have changed. > There have been changes to the policies and practices. The CIDClassed document is a summary of WK practices and certificate classes. > Since I can't find anything new, I assume that nothing has changed and > therefore the condition for inclusion didn't change at all. If we > consider that all recent inclusion requests were specifically tested for > such practices - most notably CAs like Comodo, but also T-Systems who's > inclusion has been delayed as a result of it - I can't see any > particular reason for making an exception here. Not only do their > products circumvent the audit requirement, they might be in direct > conflict with the basic requirements of the Mozilla CA policy such as > email and domain validation (IIRC - see comment 32 in bug 371362). > WISekey's products do not circumvent the audit requirement. WISeKey's products conform with the basic requirements of the Mozilla CA policy. WISeKey subordinate CAs in the BlackBox category can only issue certificates containing domain names that have been validated as being owned by the customer. These CAs are audited physically onsite, there are technical controls preventing the issuance of certificates containing any other domain name, and there are additional monitoring controls. > (Additionally, I couldn't confirm that this CA commands any significant > market share with the information at my disposal. I'm the opinion that > it would be a mistake to make an exception on the audit requirement for > sub-CAs, which in the future could serve as an argument in favor for > similar scenarios. > It was also pointed out at the bug that this CA is in MS software, > however I suspect their policies to be also in conflict of the MS root > program. Just some side-note...) WISeKey is part of the MS Windows RCA program, and have had extensive discussions with Microsoft's team prior to joining the program. The conformance of MS products with the IETF PKIX standard enable its product to work efficiently and cost effectively. They have supported WISeKey extensively in testing. WISeKey has signed the Microsoft Windows Root Certificate Program - CA agreement. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org regards, Kevin Blackman WISeKey SA _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
