On 11/19/2008 01:59 AM, kgb: Hi Kevin,
WISeKey has made some changes to its practices, since the last public discussion period.
I'm glad to hear that! Can you point to what specifically has been changed since then?
BlackBox Subordinate CAs are restricted to issue certificates for domains that are owned by the company that is responsible for them, quite unlike the typical root signing done by other companies.
How are email certificates validated beyond that? Are they validated - or is it a catch-all verification for all email certificates under the respective domain name(s)?
BlackBox subordinate CAs are also audited onsite at least once annually.
By whom? I remember from the last discussion that you weren't performing on-site visits or only randomly, download of the software and CA keys were provided via Internet download.
There have been changes to the policies and practices. The CIDClassed document is a summary of WK practices and certificate classes.
OK, I will examine this document further then...
WISekey's products do not circumvent the audit requirement. WISeKey's products conform with the basic requirements of the Mozilla CA policy. WISeKey subordinate CAs in the BlackBox category can only issue certificates containing domain names that have been validated as being owned by the customer. These CAs are audited physically onsite, there are technical controls preventing the issuance of certificates containing any other domain name, and there are additional monitoring controls.
Did your auditor perform random verifications of those visits, verify some of these installations and the technical controls? You don't have to answer this question, but it would be nevertheless interesting to understand the extend of the audit performed.
What are your requirements and controls concerning physical and logical access to the system(s)? (pointer to the CPS section is fine)
WISeKey is part of the MS Windows RCA program, and have had extensive discussions with Microsoft's team prior to joining the program. The conformance of MS products with the IETF PKIX standard enable its product to work efficiently and cost effectively. They have supported WISeKey extensively in testing. WISeKey has signed the Microsoft Windows Root Certificate Program - CA agreement.
I think some enterprise scenarios are explicitly disallowed by Microsoft which your product however could implement nevertheless, specially since it's based on MSCA (as I understood). But this is beyond the scope of what we do here, it was only a side note from me.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
