> Are you saying that your OCSP is (going to be) operating now as expected?
Yes. According to this thread http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/416427a350db11a9 We have already removed the problematic OCSP URL from our SSL certificates, and also removed the problematic OCSP URL from CA certificates that are used for the validation of SSL certificates. Our root does contain an OCSP URL, but according to the thread it does not cause a problem in Mozilla, as the revocation status of the root cannot and shall not be checked via OCSP. This means, there are not any problems even on the short run. As we promised, we shall also address the problem on the long run by introducing an OCSP service that is usable for the general public, i.e. that does not require authentication and works using the 'authorized responder' concept. http://groups.google.com/group/mozilla.dev.tech.crypto/msg/71ff5be3141529a8? On the long run, we shall be required to phase out SHA-1 from our systems so we shall have to introduce a new hierarchy. The new hierarchy shall have an OCSP usable for the general public, and its' root certificate shall not contain an OCSP URL. However, the whole process of migration to the new hierarchy and the phasing out the current one will be long. > > I may accept this statement, but if there is such a requirement, it > > should be stated in advance. > > I agree with you. > > > If there is no such requirement, it should not hinder the process, but > > there should be defined ways to resolve this issue. > > Apparently it does hinder the process (not intentional, just by the fact > that it's hard to get to the information). > > > We were requested to submit further documentation on the audit in > > English. We had the detailed report of our auditor translated and we > > sent it to Microsoft. (This is a non-public document that describes > > our systems in depth similar to our CPS.) > > So there is a disadvantage to Mozilla as you aren't willing to provide > the same information as you did to Microsoft. We are willing to provide information but nobody asked it :). It was not stated among the requirements for inclusion to submit a CSP in English. I was requested to submit translations of relevant sections of our CPS, and I did so. Mozilla has also asked a Hungarian person to double check my translation. I was also asked to send our CPS in RTF format so that you can perform a machine translation, and I did so. (I also expressed my skepticism about machine translation to and from Hungarian.) We have provided what you asked. Why would we submit something you did not ask for? > > was going to happen at what time, what was examined, what the exact > > criteria was, and when they wanted us to submit some documentation, > > they asked us to do so. > > Yes, I guess Mozilla can make such a request too. If such a formal request is made, we shall have no problem with it. (We shall prefer to submit a translation of our CPS and not of the detailed audit report, as Mozilla discusses these materials on a public forum, and the detailed audit report may contain non-public information too.) However, the translation of a 100-page-long CPS has a major cost, and I can only justify this cost if I can demonstrate that it is either necessary or if I can clearly show what benefits it would bring (e.g. to what extent it speeds the process up). Still, if we need to submit a translation, I think we could have been asked to do it two years ago when the whole process started. I do not see why it took Mozilla two years to come to this conclusion... > And sorry for the late reply, your message almost drowned at the list > (but I marked it to respond to you later). I also apologize for my late reply, we were also flooded with mails after the holidays. Regards, István _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
