On 12/30/2008 06:23 PM, István Zsolt BERTA:
István, even though I understand your frustration and agree with the
basic understanding that requirements should be published
accordingly, I also must state there has been at least one issue
(notably with your OCSP responder I think) in addition to our
I think the OCSP issue has been resolved: As I recall, on the short
run it does not cause problems with the current release of Firefox.
However, we accepted your arguments, we made some changes in our
systems and promised further changes in the future, so that it shall
not cause problems on the long run either.
Are you saying that your OCSP is (going to be) operating now as expected?
I may accept this statement, but if there is such a requirement, it
should be stated in advance.
I agree with you.
If there is no such requirement, it should not hinder the process, but
there should be defined ways to resolve this issue.
Apparently it does hinder the process (not intentional, just by the fact
that it's hard to get to the information).
We were requested to submit further documentation on the audit in
English. We had the detailed report of our auditor translated and we
sent it to Microsoft. (This is a non-public document that describes
our systems in depth similar to our CPS.)
So there is a disadvantage to Mozilla as you aren't willing to provide
the same information as you did to Microsoft.
They did not examine our CPS. (If we had been asked to submit a
translation of the current CPSs, we would have done so.) They relied
on the audit statement and on the detailed report of our auditor.
Well, yes, that's pretty detailed I guess. It might be actually easier
to read the detailed report than the CPS many times.
At that time, Microsoft stated that OCSP responders under a separate
root are not supported, so our OCSP root was not included in Windows.
However, the OCSP URL in the AIA field was not raised as a problem.
Therefore OCSP is effectively not working for Microsoft software too,
correct? I know however that CRLs are better supported than with NSS.
was going to happen at what time, what was examined, what the exact
criteria was, and when they wanted us to submit some documentation,
they asked us to do so.
Yes, I guess Mozilla can make such a request too.
OK, thanks, I tried to summarize the main points above.
And sorry for the late reply, your message almost drowned at the list
(but I marked it to respond to you later).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
