Thank you to those of you who have reviewed this request and
contributed to the discussion. Your time and commitment to this
process is greatly appreciated!
To summarize this discussion, there were three areas that were of
primary interest. They were:
1) Inclusion of a root that expires in a year
Rolf, thank you for your answers!
On 03/31/2009 10:05 AM, Rolf Lindemann:
Regarding b)
No, this does not necessarily apply to all sub CAs which might appear in the
future. In the future we might also get customers which want to use such
certificates externally.
We'll add the requirement to publi
The open questions about externally operated sub-CAs are (Hope I got all):
a) Can you explain into more depth how exactly the relying parties remain
company internal?
b) Does this apply to all sub CAs which potentially may appear in the
future?
c) How are the CA certificates protected?
d) Can this
I am waiting for some feedback from our root signing customer.
I will respond to these questions early next week.
--
Dr. Rolf Lindemann
Director Product Management
TC TrustCenter GmbH
Sonninstrasse 24-28, 20097 Hamburg
Office: +49 40 808026-300
Fax: +49 40 808026-126
Email: lind
On 3/26/2009 12:27 PM, Kathleen Wilson wrote [in part]:
> 1) Inclusion of a root that expires in a year and half
> A concern has been raised about including the TC TrustCenter Class 1
> CA root when it will be phased out before the end of 2010.
> * This root has four internally-operated subordinate
To summarize this discussion, there are three areas that need to be
resolved. They are: 1) Inclusion of a root that expires in a year and
half. 2) Questions about the Class 0 certificates that are part of the
CPS. 3) Questions about the externally-operated subordinate CAs.
***
1) Inclusion of a ro
Hi Rolf,
Thank you for taking your time here. Please allow me a few more questions...
On 03/23/2009 07:14 PM, Rolf Lindemann:
1. General description of the sub-CAs operated by third parties.
--> This sub-CA 1 is used to issue certificate to company internal devices.
All relying parties are co
Hi,
Here our statement regarding the SubordinateCA checklist requirements:
There are only two subordinate CAs issued by the root certificates related to
this request.
Both Sub-CAs are operated by a third party for internal use only.
Regarding Sub-CA 1, which is chained to “TC Class 2 CA II”
Be
>> There are a small number of external CAs that have been signed by our root.
Of the four roots being considered for inclusion (TC TrustCenter Class
1 CA, TC TrustCenter Class 2 CA II, TC TrustCenter Class 3 CA II, TC
TrustCenter Universal CA I) which one(s) have or will have subordinate
CAs that
On 03/18/2009 04:39 PM, Rolf Lindemann:
There are a small number of external CAs that have been signed by our root.
They are not part of a formal audit but our Director of Security does audit
and review their CPS'.
There are no requirements for the external entities to undergo third party
audits
You seem to misunderstand the reason there's friction here. (I do
understand your reasoning -- there are a lot of active certificates in
active use under that root, and you would like to see Thunderbird
support them.)
However:
Over the past several years, the process for getting CAs approved has
Hi,
>The comment from https://bugzilla.mozilla.org/show_bug.cgi?id=392024#c42
>and further in comment 44 suggests that there *are* external sub
>ordinate CA certificates. Do we know how many and if they were included
>in the audits? Also will they be part of the audits or are only the
>control
Hi,
>http://www.mozilla.org/projects/security/certs/pending/#TC%20TrustCenter
>the first entry refers to a root (TC TrustCenter Class 1 CA)
>with a key size of 1024 bit and which expires at the 2011-01-01. I think
>it's unreasonable to expect to have this root considered for inclusion
>and this
On 03/18/2009 10:53 AM, Rolf Lindemann:
Hi,
It is planned to phase out the "TC Class 2 CA" and "TC Class 3 CA" 1024 bit
root certificates - which are already been included in Mozilla - before end
of 2010.
There is not yet a schedule for phasing out the "TC Class 2 CA II" and "TC
Class 3 CA II"
On 03/18/2009 10:46 AM, Rolf Lindemann:
Hi,
There was the question what the relationship of this root insertion request
to our Class 0 certificate is:
TC Class 0 certificates are used for testing purposes only.
TC TrustCenter intentionally did not ask for insertion of the "TC Class 0"
root cert
Hi,
It is planned to phase out the "TC Class 2 CA" and "TC Class 3 CA" 1024 bit
root certificates - which are already been included in Mozilla - before end
of 2010.
There is not yet a schedule for phasing out the "TC Class 2 CA II" and "TC
Class 3 CA II" root certificates.
We'll continue to use
Hi,
There was the question what the relationship of this root insertion request
to our Class 0 certificate is:
TC Class 0 certificates are used for testing purposes only.
TC TrustCenter intentionally did not ask for insertion of the "TC Class 0"
root certificate.
The "TC Universal" roots have not
On 03/09/2009 10:51 PM, kathleen95...@yahoo.com:
* The TC TrustCenter Class 1 CA root has four internally-operated
subordinate CAs which issue certificates for email and SSL client
authentication. Only the email trust bit is requested for this root.
Note that this root is 1024 bit and it expires
On Mon, Mar 9, 2009 at 1:51 PM, wrote:
> Summary of Information Gathered and Verified:
>
> https://bugzilla.mozilla.org/attachment.cgi?id=362354
>
> Some quick comments regarding noteworthy points:
>
> * The TC TrustCenter Class 1 CA root has four internally-operated
> subordinate CAs which issue
As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule TC
TrustCenter is the next request in the queue for public discussion.
TC TrustCenter (a commercial company based in Germany, with customers
in all major regions of the world) has applied to add four root CA
certificates to the Mozilla
20 matches
Mail list logo
