On 03/09/2009 10:51 PM, kathleen95...@yahoo.com:
* The TC TrustCenter Class 1 CA root has four internally-operated subordinate CAs which issue certificates for email and SSL client authentication. Only the email trust bit is requested for this root. Note that this root is 1024 bit and it expires in January, 2011. TC TrustCenter will phase out this root before the end of 2010.
I think it's unreasonable to expect that Mozilla will support a root which will be phased out within a years time. Sorry.
* The TC TrustCenter Universal CA I root has been introduced to reduce the number of root certificates in the trusted root stores. This root will have internally-operated subordinate CAs for each registration strength. “Class 1”, “Class 2”, “Class 3” and “Class 4” represent the registration strength. This root currently has one Class 3 subordinate CA. Over time this root will have more “TC Class x” subordinate CA certificates. The request is to enable all three trust bits for this root. This root is RSA 2048 bit. The SSL certificates chaining up to this root are OV.
On other notes, there is no mentioning of the Class 0 certificates as stated in CPD-TCTrustCenter-061023-en.pdf . They might present a problem as they wouldn't comply to the Mozilla CA Policy requirements section 7. Can we identify from which roots they are issued? Can we receive a sample certificate which was issued recently?
* There are currently no subordinate CAs that are operated by third parties. However, the CA’s could have sub-CA’s in which a third party has ownership/control of the sub_CA key pair and CA. If TC TrustCenter issues a Sub-CA certificate to a third party then there will be contractual agreements in place requiring the third party to adhere to the requirements of the applicable CPS. The entry "Path length" in the "Basic contstraints" extension (marked as critical) is set to 0. So they cannot use their own subordinates. From TC TrustCenter: We do not sign subordinates for public SSL provider use. The root can only be used by Enterprises that pass our tests and plan to issue for internal, corporate purposes, typically S/MIME and authentication. To date, we have not encountered any problems with our subordinates.
The comment from https://bugzilla.mozilla.org/show_bug.cgi?id=392024#c42 and further in comment 44 suggests that there *are* external sub ordinate CA certificates. Do we know how many and if they were included in the audits? Also will they be part of the audits or are only the controls of the CA audited?
I'm not sure if there are explicit provisions in the CPS concerning the requirements to external entities having their own (sub) CA at their premises and their audit requirements (beyond internal controls of the CA). Can we get some more information on that?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
