On 11/20/2008 06:34 PM, kb:
Probably the most important change in stated practice, is that it is reflected that every CA is audited at least once annually. This is the case for all active CAs.
Kevin, thanks for clarifying this. It indeed was one of the concerns raised last time.
The company database (such as existing HR, or IDM) of organisation, with details of the organisation's users, including their email addresses, is the principal source of data for certificates.
OK.
Bounce back email verification procedure proving access to the email account is also accepted, but this is inefficient in the enterprise context...
That's why I asked... ;-)
In addition other identity data in the certificate must come from a verified source, e.g. HR database of identity data that is well- maintained and was created based on face to face or direct verification of the person.
Excellent!
Currently it is WISeKey that audits all our CAs, we review the CAs at least once annually, or more regularly as we are more often present on some client sites. In addition to the controls we place on issuance, we also place monitoring controls and obtain regular reports.
Last question: Are there any sub CAs besides the blackbox product (with name-constraints) which are external to your physical infrastructure? I think there is not, but can you confirm that?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
