The open questions about externally operated sub-CAs are (Hope I got all): a) Can you explain into more depth how exactly the relying parties remain company internal? b) Does this apply to all sub CAs which potentially may appear in the future? c) How are the CA certificates protected? d) Can this CA potentially issue to any other entity beyond the company internal usage? e) How do you make reasonably sure that the sub-CAs follow the TC TrustCenter CPD and CPS? f) Do the sub-CAs have to follow the CPD and CPS in regards to verification of domain and email address ownership/control? Please explain how this is controlled. g) What are the audit requirements for the sub-CAs?
Here is our response: Regarding a) The devices are operated company internal. The device certificates are not used to protect external access to these devices. The device certificates are not used to access external resources. Regarding b) No, this does not necessarily apply to all sub CAs which might appear in the future. In the future we might also get customers which want to use such certificates externally. We'll add the requirement to publish the applicable CP/CPS in our root signing contract. Regarding c) The CA certificate protection is done according to the Web Trust / ETSI requirements. In particular this customer uses a FIPS 140-2 Level 4 HSM. Regarding d) Technically this is possible. But their policy and our contract forbid this. Regarding e) Our internal policy team has audited our client's policies and procedures by reviewing the client's CPS. As part of this audit we had intense face to face discussions with our client. Regarding f) This particular client is not allowed to issue SSL server certificates, so verifying the domain play a completely different role here. The certificates are device certificates and the device name and the email address belong to a company internal domain. So the ownership is guaranteed. Regarding g) Our current requirements include an in-depth CP and CPS review and intense discussions of the procedures with our customers. There are no requirements for the external entities to undergo third party audits unless we decide that it is necessary. We have the right to impose this requirement already defined in our contract with the external entities. -- Dr. Rolf Lindemann Director Product Management TC TrustCenter GmbH Sonninstrasse 24-28, 20097 Hamburg Office: +49 40 808026-300 Fax: +49 40 808026-126 Email: lindem...@trustcenter.de www.trustcenter.de Geschaeftsfuehrung/Managing Directors: Robert Steinkrauss, Dr. Sabine Kockskaemper AG Hamburg, HRB 96168 This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies.
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
