Microsec has applied to add one new root CA certificate to the Mozilla root store. The first public discussion of this inclusion request can be found here:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/416427a350db11a9# Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=370505 Pending certificates list entry: http://www.mozilla.org/projects/security/certs/pending/#Microsec Summary of Information Gathering and Verification Phase: https://bugzilla.mozilla.org/attachment.cgi?id=332762 There were two items of note in the first public discussion. The first concern was about the Microsec practice of having a separate root for OCSP, particularly given the inclusion of AIA extensions with OCSP URLs in end entity certificates. From the first discussion it looked like Microsec is removing AIA extensions with OCSP URLs from end entity certificates and from intermediate CA certificates, and this should address this problem going forward. It also looked like Microsec’s long-term plan would completely resolve the concerns. Microsec’s long-term plan is to introduce an OCSP service that is usable for the general public, such that it does not require authentication and works using the 'authorized responder' concept. They already had a discussion with the National Communications Authority, so they will be able to issue OCSP responder certificates with their CAs, even with CAs that sign qualified certificates. The second concern was that all of the CPSs were provided in Hungarian. Microsec has used a third-party translation company (http:// www.kfi.hu) to prepare the translation of their CPS that is used for web server certificates, code signing certificates, e-mail encryption certificates and SSL client certificates. http://www.e-szigno.hu/docs/szsz--hsz--altalanos--v1.6--EN.doc This is the translation of version 1.6 that will come into effect on the 9th of March, 2009. Note that the other CPSs have very similar content, but they were required to create separate CPSs for for qualified and non-qualified electronic signature certificates. We only requested that the one CPS be translated. The procedure for the verification of the subscriber identity/ organization and ownership of domain name and email address is discussed in Sections 3.2 and 4.2. The issuing frequency of CRLs is discussed in Section 4.10. This begins phase 2 of the public discussion of the request from Microsec to add the Microsec e-Szigno Root CA root certificate to Mozilla. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
