Hi, Here our statement regarding the SubordinateCA checklist requirements:
There are only two subordinate CAs issued by the root certificates related to this request. Both Sub-CAs are operated by a third party for internal use only. Regarding Sub-CA 1, which is chained to “TC Class 2 CA II” Because the CA is for internal use only, the company operating the subordinate CA does not make the applicable CP/CPS publicly available. According to Mozilla's SubordinateCA checklist (https://wiki.mozilla.org/CA:SubordinateCA_checklist) we have to provide and make publicly available the following information when our root signs subordinate CAs for enterprises/companies who operate the sub-CA for their own use: 1. General description of the sub-CAs operated by third parties. --> This sub-CA 1 is used to issue certificate to company internal devices. All relying parties are company internal. 2. The CP/CPS that the sub-CAs are required to follow. --> The sub-CA 2 is required to follow the TC TrustCenter CPD and CPS. 3. Requirements (technical and contractual) for sub-CAs in regards to whether or not sub-CAs are constrained to issue certificates only within certain domains, and whether or not sub-CAs can create their own subordinates. --> This is covered by TC TrustCenter's CPD and CPS. In addition, third party sub-CA 1 cannot create its own subordinates due to path length constraint in the sub-CA certificate. Furthermore, all certificates issued by the CA in question are company internal device certificates; see below. 4. Requirements (typically in the CP or CPS) for sub-CAs to take reasonable measures to verify the ownership of the domain name and email address for end-entity certificates chaining up to the root, as per section 7 of our Mozilla CA certificate policy. --> This is covered by TC TrustCenter's CPD and CPS. * domain ownership/control --> Certificates are issued only company internal and all relying parties are only company internal, so domain ownership/control needs not to be verified. * email address ownership/control Certificates are issued to company internal devices and all relying parties are only company internal. * digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate --> There is no signing of code objects. 5. Description of audit requirements for sub-CAs (typically in the CP or CPS) * Whether or not the root CA audit includes the sub-CAs. * Who can perform the audits for sub-CAs. * Frequency of the audits for sub-CAs. These requirements apply to the Root and are covered by TC TrustCenter's CPS. Regarding Sub-CA 2, which is chained to „TC Class 1 CA“. 1. General description of the sub-CAs operated by third parties. --> This Sub-CA 2 is used to issue certificates to company internal email users. The certificates may only be used to secure the internal email communication. 2. The CP/CPS that the sub-CAs are required to follow. --> The sub-CA 2 is required to follow the TC TrustCenter CPD. 3. Requirements (technical and contractual) for sub-CAs in regards to whether or not sub-CAs are constrained to issue certificates only within certain domains, and whether or not sub-CAs can create their own subordinates. --> The sub-CA 2 cannot create its own subordinates due to path length constraint in the sub-CA certificate. Furthermore, all certificates issued by the sub CA 2 in question are for company internal email users; see below. 4. Requirements (typically in the CP or CPS) for sub-CAs to take reasonable measures to verify the ownership of the domain name and email address for end-entity certificates chaining up to the root, as per section 7 of our Mozilla CA certificate policy. --> This is covered by TC TrustCenter's CPD and CPS. * domain ownership/control --> Certificates are for secure email purpose only, not for SSL servers. * email address ownership/control --> Certificates are issued to company internal email users for company internal use. * digitally signing code objects -- entity submitting the certificate signing request is the same entity referenced in the certificate --> There is no signing of code objects. 5. Description of audit requirements for sub-CAs (typically in the CP or CPS) * Whether or not the root CA audit includes the sub-CAs. * Who can perform the audits for sub-CAs. * Frequency of the audits for sub-CAs. These requirements apply to the Root and are covered by TC TrustCenter's CPS. -- Dr. Rolf Lindemann Director Product Management TC TrustCenter GmbH Sonninstrasse 24-28, 20097 Hamburg Office: +49 40 808026-300 Fax: +49 40 808026-126 Email: lindem...@trustcenter.de www.trustcenter.de Geschaeftsfuehrung/Managing Directors: Robert Steinkrauss, Dr. Sabine Kockskaemper AG Hamburg, HRB 96168 This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies.
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
