To summarize this discussion, there are three areas that need to be resolved. They are: 1) Inclusion of a root that expires in a year and half. 2) Questions about the Class 0 certificates that are part of the CPS. 3) Questions about the externally-operated subordinate CAs.
*** 1) Inclusion of a root that expires in a year and half A concern has been raised about including the TC TrustCenter Class 1 CA root when it will be phased out before the end of 2010. * This root has four internally-operated subordinate CAs which issue certificates for email and SSL client authentication. * This root has one externally-operated sub-CA which is used to issue certificates to company internal email users to secure the internal email communication. * This root is 1024 bit * There are a large number of certificates chained to this root which are being used for secure email, so TC TrustCenter requests that the root be pre-installed for Thunderbird. Precedence has been set in prior CA inclusion requests in which roots expiring in a year have not been approved. Therefore, the recommendation will likely be to not include the TC TrustCenter Class 1 CA root. *** 2) Questions about the Class 0 certificates that are part of the CPS. The Class 0 certificates are part of the general CPS and that's why we have to take them into consideration. Is it possible to identify the root in question (which should not be included) and perhaps a sample certificate of a typical Class 0 certificate? Does the CPS makes a clear distinction between this root and other roots and if so where exactly? The following root certificates are discussed in the CPS, but are not part of this inclusion request: TC TrustCenter Class 0 CA TC TrustCenter Class 2 CA TC TrustCenter Class 3 CA TC TrustCenter Class 4 CA TC TrustCenter Class 4 CA II TC TrustCenter Universal CA II The following root certificates are discussed in the CPS, and are part of this inclusion request: TC TrustCenter Class 1 CA TC TrustCenter Class 2 CA II TC TrustCenter Class 3 CA II TC TrustCenter Universal CA I CPS section 3.2.3: Class 0: These certificates are issued for testing and demonstration purposes. They are valid for a short period of time only. Data contained in a Class 0 certificate is not verified by TC TrustCenter in any way! I believe this information answers the above questions about the Class 0 certificates. *** 3) Questions about the externally-operated subordinate CAs. * It was clarified that there are currently 2 externally-operated subordinate CAs chaining up to these roots and information according to the SubordinateCA_checklist was provided. ** Both of these externally-operated sub-CAs are used by the third party for internal use only. ** Both sub-CAs cannot create their own subordinates due to path length constraint in the sub-CA certificate. **It is stated that the sub-CAs are required to follow TC TrustCenter’s CPD and CPS. ** Sub-CA 1 is chained to the TC Class 2 CA II root, and is used to issue SSL and email certificates for internal use only. ** Sub-CA 2 is chained to the TC Class 1 CA root, and is used to issue certificates to company internal email users. In regards to section 7 of the Mozilla CA certificate policy, there seems to be confusion about verification of domain and email address ownership control. ** In the TC TrustCenter CPD sections 4.3.2 and 4.4.2 it says: For server certificates it is checked if the domain name in the certificate is registered to the organization applying for the certificate. *** However, the comment above in regards to sub-CA1 says: Certificates are issued only company internal and all relying parties are only company internal, so domain ownership/control needs not to be verified. ** It is stated in the TC TrustCenter CPD sections 4.3 and 4.4: If an e-mail address is contained in the certificate, its correctness is verified by an access test. If statements about an organization are made in the certificate, the organization itself may confirm the correctness of the e-mail address. ***However, the comments above in regard to verification of email address ownership/control say: Certificates are issued to company internal devices and all relying parties are only company internal. The open questions about externally operated sub-CAs are: Can you explain into more depth how exactly the relying parties remain company internal? Does this apply to all sub CAs which potentially may appear in the future? How are the CA certificates protected? Can this CA potentially issue to any other entity beyond the company internal usage? How do you make reasonably sure that the sub-CAs follow the TC TrustCenter CPD and CPS? Do the sub-CAs have to follow the CPD and CPS in regards to verification of domain and email address ownership/control? Please explain how this is controlled. What are the audit requirements for the sub-CAs? Rolf, would you please respond to these questions about externally- operated sub-CAs? Thanks, Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
