On 02/24/2009 10:21 PM, Kathleen Wilson:
This begins the one-week discussion period. After that week, I will provide a summary of issues noted and action items. If there are no outstanding issues, then this request can be approved for inclusion. If there are outstanding issues or action items, then an additional discussion may be needed as follow-up.
Having studied the Israeli Electronic Signature Law on previous occasions, the law resembles in many aspects similar legislation's of the EC. We've seen at different opportunities the lack of its usefulness in the context of browser software. Now, the Israeli signature law doesn't provide and publish an auditing criteria (which might be non-existing) nor is it a set of criterion currently acceptable to Mozilla.
The auditor (which I don't know) states in a letter to Mozilla https://bug420705.bugzilla.mozilla.org/attachment.cgi?id=347141 which I guess is supposed to substitute for an audit statement (?) that ComSign is regulated by operating standards that are at least equivalent *in all material aspects* to ETSI TS 101 456. However this vague statement in addition to non-disclosed or unknown audit criteria can't suffice as audit compliance of the Mozilla CA Policy in my opinion.
In case an auditing criteria does exist and I'm unaware if its existence we could try to compare to ETSI or WebTrust and try to map it (if Mozilla wants to do that - at a different CA where minor abbreviations existed between a governmental defined audit criteria and WebTrust IIRC this is what was done). However this point must be clarified before continuing.
The practice statement of ComSign is clearly geared to comply to the Israeli signature law (its date from 2003 suggests it too) and doesn't disclose sufficiently validation practices we care most about in the context of Mozilla software, neither do additional relevant documents from ComSign. Repeated questions and requests by Kathleen to provide clear information concerning domain and email validation at the bug have been ignored, neither has an updated CPS been published as far as I can see.
Depending on the outcome of the above mentioned I'd have additional questions in regard to the internal (and external) CAs and some other practices. BTW, I couldn't read the "Cert Hierarchy Diagram" which is in some unknown format (DOCX).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
