On 02/12/2009 12:31 PM, Yannick LEPLARD:
First of all, i would like to express my astonishment about the discussion phase. It sounds like Mozilla's discussion "how to evaluate the CAs / changes to do in the benchmarks " rather than a Certigna discussion.
Yes, unfortunately we make the mistake again and again by not changing the subject line when discussing (un)related issues. However this is a discussion group as compared to Bugzilla.
There was a long technical verification phase made by three people : Gervase Markham, Frank Hecker, and Kathleen Wilson. And now, it seems to be a reconsideration of ETSI 102 042.
No, only Kathleen has reviewed and gathered the information about your CA. Unfortunately there was a backlog which Mozilla is now working up.
The issue at hand is not the audit criteria of ETSI per se, but the disclosure of your practices. I think this is the first time that a CA wasn't willing to disclose the practice statement.
About CP /CPS : I think a public CP and a audit of compliance with a reference norm (like ETSI, WebTrust, ... ) provide garantees to third party. CPS and other internal documents are checked by auditors (and they control that the company do what is written !).
Right, and in order to judge what your CA is doing we would like to know about it. Please note that WebTrust requires public disclosure of the practices.
They contain know-how of the company (technical and organizational measurements), and don't have to be published.
Well, considering that the top 20 CAs all disclosed their practices, I can't see which know-how you are trying to protect, but if you are doing something completly different than all the others than it's perhaps reason more to know about it.
Please also note that ETSI doesn't require particular validation methods upon which we can be assumed that you are compliant to the Mozilla CA policy. And I really wonder if you didn't had to disclose the CPS to Microsoft as well.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
