On 03/04/2009 06:17 PM, michal...@gmail.com:
On Feb 28, 12:47 pm, Eddy Nigg<eddy_n...@startcom.org> wrote:
Having studied the Israeli Electronic Signature Law on previous
occasions, the law resembles in many aspects similar legislation's of
the EC. We've seen at different opportunities the lack of its usefulness
in the context of browser software. Now, the Israeli signature law
doesn't provide and publish an auditing criteria (which might be
non-existing) nor is it a set of criterion currently acceptable to Mozilla.
The auditor (which I don't know) states in a letter to
Mozillahttps://bug420705.bugzilla.mozilla.org/attachment.cgi?id=347141which I
guess is supposed to substitute for an audit statement (?) that ComSign
is regulated by operating standards that are at least equivalent *in all
material aspects* to ETSI TS 101 456. However this vague statement in
addition to non-disclosed or unknown audit criteria can't suffice as
audit compliance of the Mozilla CA Policy in my opinion.
In case an auditing criteria does exist and I'm unaware if its existence
we could try to compare to ETSI or WebTrust and try to map it (if
Mozilla wants to do that - at a different CA where minor abbreviations
existed between a governmental defined audit criteria and WebTrust IIRC
this is what was done). However this point must be clarified before
continuing.
The Israeli Electronic Signature Law require Comsign to verify the
client personally what means that the client arrive to Comsign office
and show his ID
and his driver licence or Passport - his details are being verify
facing the Ministry of the Interior database.
we also ask verify his email address.
Verification of email ownership is documented in section 3.2.1 of
http://www.comsign.co.il/Images/Doc/English_CPS_final.doc.
"3.2.1.5 Comsign and /or its representatives will verify that the E-
mail address is valid by sending mail to the costumer and ask him to
reply."
Verification of domain ownership is documented in section 3.1 of
http://www..comsign.co.il/Images/Doc/CPS__SSL_EN.pdf
"An investigation will be performed to confirm that the domain for
which the certificate is requested is registered in the organization’s
name.."
regarding the empty CRL - we didn't revoke any CA or intermideate
since we started .
Excellent, thank you for that. Do you have any more information
concerning the auditing criteria and/or CA certificate practice
requirements, preferably as published by the Ministry of Justice?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
