Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
T-Systems Additional Root Inclusion Request
57 views
Skip to first unread message
Kathleen Wilson
Apr 27, 2012, 4:41:52 PM4/27/12
to mozilla-dev-s...@lists.mozilla.org
T-Systems has applied to add the “T-TeleSec GlobalRoot Class 3” root
certificate, turn on the Websites trust bit, and enable EV.
T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=669849
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#T-Systems
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=619163
Noteworthy points:
* The primary documents are the CP, CPS, and the ServerPass CP/CPS. The
documents are provided in English.
Document Repository: http://www.telesec.de/pki/roots.html
ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
ServerPass CP/CPS (English):
https://bugzilla.mozilla.org/attachment.cgi?id=555341
CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
This is an offline root that will have internally-operated subordinate
CAs corresponding to the high security services that are offered.
The request is to turn on the Websites trust bit.
* ServerPass CP/CPS section 3.2.2: The initial request can only be
placed after successful registration in the customer portal
<myServerPass>. In order to confirm the legal person named in the
Subject Distinguished Name (subjectDN) of the certificate under
Organization (O), the following document is required according to the
business category:
Legal person: The request form signed by an authorized signatory.
Authority: The request form signed by an authorized representative of
the authority and stamped with the official seal.
Association: The certified copy (no more than 30 days old) of the
register of associations excerpt must be submitted together with the
signed request form.
Trader(s): The certified copy (no more than 30 days old) of a current
trade license and the personal ID of the trader must be submitted
together with the signed request form.
The following is checked for all business categories:
- Is the information on the request form identical to the information in
the Certificate Signing Request (CSR) of the online request?
- Does the company name of the organization/company correspond to the
entry in the electronic commercial register or comparable directories?
Do current organization documents (no more than 30 days old) issued by a
competent authority also confirm the organization's existence (e.g.,
register of associations or comparable document, official stamp)?
- The authorization of the responsible contact at the organization named
in the request (legal person),
- Does the domain name correspond to the official directories? Does the
customer own the domain; i.e., has he been given the exclusive right of
use by means of a corresponding authorization?
- If a third party carries out the certificate request/management on
behalf of the organization, it must have a corresponding written
authorization concerning the transfer of rights
- Are any necessary Whois entries available.
Additional checks are carried out as required.
* Additionally there is an “Operation Manual” for Trust Center staff
including employees working on the registration and validation
procedure. To summarize, www.denic.de is the first tool which is used to
verify the ownership of a domain under TLD .de , which most of the
issued certificates are. For international TLD WHOIS is used instead
(www.whois.net). The domainholder must be the same organization stated
within the O field of the certificate. If this is not the case, a letter
of attorney is needed stating, that the one applying for the certificate
is acting on behalf of the domain owner.
The request is to also enable EV.
* ServerPass CP/CPS section 3.2.2: TeleSec ServerPass EV: The initial
request can only be placed after successful registration in the customer
portal <myServerPass>. The required checks are carried out in accordance
with [WTEVGUIDE].
[WTEVGUIDE] = Guidelines For The Issuance and Management Of Extended
Validation Certificates, The CA / Browser Forum Version 1.2, October 1, 2009
* EV Policy OID: 1.3.6.1.4.1.7879.13.24.1
* Root Cert URL: http://www.telesec.de/downloads/GlobalRoot_Class_3.cer
* Test Website: https://root-class3.test.telesec.de
* CRL
http://pki.telesec.de/rl/GlobalRoot_Class_3.crl
http://crl.serverpass.telesec.de/rl/EV_SSL_CA_Class_3.crl (NextUpdate:
24hours)
ServerPass CP/CPS section 4.9.7: The certificate revocation list (CRL),
which contains the revoked certificates of end entities, is updated
twice a day and published by the repository.
* OCSP
OCSP URI in EE Cert: http://ocsp.telesec.de/ocspr
OCSP URI in EV Intermediate Cert: http://ocsp.serverpass.telesec.de/ocspr
Global Root Class 3 CPS section 4.9.9: Sub-CAs must maintain an OCSP
responder to validate issued certificates. OCSP responses must have a
maximum expiration time of ten (10) days. The OCSP repository must be
updated at least every four (4) days.
* Audit: Annual audits are performed by Ernst & Young GmbH according to
the WebTrust for CA and EV criteria, and posted on the webtrust.org website.
https://cert.webtrust.org/SealFile?seal=1219&file=pdf
https://cert.webtrust.org/SealFile?seal=1220&file=pdf
* Potentially Problematic Practices – None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices):
This begins the discussion of the request from T-Systems to add the
“T-TeleSec GlobalRoot Class 3” root certificate, turn on the Websites
trust bit, and enable EV. At the conclusion of this discussion I will
provide a summary of issues noted and action items. If there are
outstanding issues, then an additional discussion may be needed as
follow-up. If there are no outstanding issues, then I will recommend
approval of this request in the bug.
Kathleen
certificate, turn on the Websites trust bit, and enable EV.
T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=669849
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#T-Systems
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=619163
Noteworthy points:
* The primary documents are the CP, CPS, and the ServerPass CP/CPS. The
documents are provided in English.
Document Repository: http://www.telesec.de/pki/roots.html
ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
ServerPass CP/CPS (English):
https://bugzilla.mozilla.org/attachment.cgi?id=555341
CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
This is an offline root that will have internally-operated subordinate
CAs corresponding to the high security services that are offered.
The request is to turn on the Websites trust bit.
* ServerPass CP/CPS section 3.2.2: The initial request can only be
placed after successful registration in the customer portal
<myServerPass>. In order to confirm the legal person named in the
Subject Distinguished Name (subjectDN) of the certificate under
Organization (O), the following document is required according to the
business category:
Legal person: The request form signed by an authorized signatory.
Authority: The request form signed by an authorized representative of
the authority and stamped with the official seal.
Association: The certified copy (no more than 30 days old) of the
register of associations excerpt must be submitted together with the
signed request form.
Trader(s): The certified copy (no more than 30 days old) of a current
trade license and the personal ID of the trader must be submitted
together with the signed request form.
The following is checked for all business categories:
- Is the information on the request form identical to the information in
the Certificate Signing Request (CSR) of the online request?
- Does the company name of the organization/company correspond to the
entry in the electronic commercial register or comparable directories?
Do current organization documents (no more than 30 days old) issued by a
competent authority also confirm the organization's existence (e.g.,
register of associations or comparable document, official stamp)?
- The authorization of the responsible contact at the organization named
in the request (legal person),
- Does the domain name correspond to the official directories? Does the
customer own the domain; i.e., has he been given the exclusive right of
use by means of a corresponding authorization?
- If a third party carries out the certificate request/management on
behalf of the organization, it must have a corresponding written
authorization concerning the transfer of rights
- Are any necessary Whois entries available.
Additional checks are carried out as required.
* Additionally there is an “Operation Manual” for Trust Center staff
including employees working on the registration and validation
procedure. To summarize, www.denic.de is the first tool which is used to
verify the ownership of a domain under TLD .de , which most of the
issued certificates are. For international TLD WHOIS is used instead
(www.whois.net). The domainholder must be the same organization stated
within the O field of the certificate. If this is not the case, a letter
of attorney is needed stating, that the one applying for the certificate
is acting on behalf of the domain owner.
The request is to also enable EV.
* ServerPass CP/CPS section 3.2.2: TeleSec ServerPass EV: The initial
request can only be placed after successful registration in the customer
portal <myServerPass>. The required checks are carried out in accordance
with [WTEVGUIDE].
[WTEVGUIDE] = Guidelines For The Issuance and Management Of Extended
Validation Certificates, The CA / Browser Forum Version 1.2, October 1, 2009
* EV Policy OID: 1.3.6.1.4.1.7879.13.24.1
* Root Cert URL: http://www.telesec.de/downloads/GlobalRoot_Class_3.cer
* Test Website: https://root-class3.test.telesec.de
* CRL
http://pki.telesec.de/rl/GlobalRoot_Class_3.crl
http://crl.serverpass.telesec.de/rl/EV_SSL_CA_Class_3.crl (NextUpdate:
24hours)
ServerPass CP/CPS section 4.9.7: The certificate revocation list (CRL),
which contains the revoked certificates of end entities, is updated
twice a day and published by the repository.
* OCSP
OCSP URI in EE Cert: http://ocsp.telesec.de/ocspr
OCSP URI in EV Intermediate Cert: http://ocsp.serverpass.telesec.de/ocspr
Global Root Class 3 CPS section 4.9.9: Sub-CAs must maintain an OCSP
responder to validate issued certificates. OCSP responses must have a
maximum expiration time of ten (10) days. The OCSP repository must be
updated at least every four (4) days.
* Audit: Annual audits are performed by Ernst & Young GmbH according to
the WebTrust for CA and EV criteria, and posted on the webtrust.org website.
https://cert.webtrust.org/SealFile?seal=1219&file=pdf
https://cert.webtrust.org/SealFile?seal=1220&file=pdf
* Potentially Problematic Practices – None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices):
This begins the discussion of the request from T-Systems to add the
“T-TeleSec GlobalRoot Class 3” root certificate, turn on the Websites
trust bit, and enable EV. At the conclusion of this discussion I will
provide a summary of issues noted and action items. If there are
outstanding issues, then an additional discussion may be needed as
follow-up. If there are no outstanding issues, then I will recommend
approval of this request in the bug.
Kathleen
Charles Reiss
Apr 27, 2012, 6:36:56 PM4/27/12
to mozilla-dev-s...@lists.mozilla.org
On 4/27/12 1:41 PM, Kathleen Wilson wrote:
> T-Systems has applied to add the “T-TeleSec GlobalRoot Class 3” root
> certificate, turn on the Websites trust bit, and enable EV.
[snip]
> T-Systems has applied to add the “T-TeleSec GlobalRoot Class 3” root
> certificate, turn on the Websites trust bit, and enable EV.
> * The primary documents are the CP, CPS, and the ServerPass CP/CPS. The
> documents are provided in English.
>
> Document Repository: http://www.telesec.de/pki/roots.html
> ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
> ServerPass CP/CPS (English):
> https://bugzilla.mozilla.org/attachment.cgi?id=555341
> CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
> CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
[snip]
> documents are provided in English.
>
> Document Repository: http://www.telesec.de/pki/roots.html
> ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
> ServerPass CP/CPS (English):
> https://bugzilla.mozilla.org/attachment.cgi?id=555341
> CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
> CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
> * Potentially Problematic Practices – None Noted
> (http://wiki.mozilla.org/CA:Problematic_Practices):
The Class 3 CPS appears to permit the issuance of sub-CA certificates to
> (http://wiki.mozilla.org/CA:Problematic_Practices):
third-parties (e.g., sections 1.3.2.1, 1.3.3.1, and 4.1.2.1). Given that
the information gathering document suggests that T-Systems does not
intend to allow any external sub-CAs for this root, can its CPS reflect
this? If not, where is the document "T-Systems Root Signing Service
Specification" (referenced by the CPS) available? Is it available in
English?
Carsten.D...@t-systems.com
Apr 30, 2012, 7:28:34 AM4/30/12
to wogg...@gmail.com, mozilla-dev-s...@lists.mozilla.org
Hi Charles,
T-Systems owns different roots which allows external Sub-CAs to be issued. Anyhow - the one under discussion is definitely not allowed to do so. This should be stated within the CPS explicitly.
I just double-checked the CPS - I will take care of this issue raised and we will provide a new version of the CPS once the discussion is closed.
The document's change log (history) will show which sections have been amended or worked on.
Does this address your concern?
Kind regards
Carsten
Carsten Dahlenkamp
T-Systems International GmbH
Trust Center Applications
Untere Industriestraße 20, 57250 Netphen, Germany
+49 271 708-1643 (Tel.)
E-Mail: carsten.d...@t-systems.com
http://www.t-systems.com, http://www.telesec.de
T-Systems owns different roots which allows external Sub-CAs to be issued. Anyhow - the one under discussion is definitely not allowed to do so. This should be stated within the CPS explicitly.
I just double-checked the CPS - I will take care of this issue raised and we will provide a new version of the CPS once the discussion is closed.
The document's change log (history) will show which sections have been amended or worked on.
Does this address your concern?
Kind regards
Carsten
Carsten Dahlenkamp
T-Systems International GmbH
Trust Center Applications
Untere Industriestraße 20, 57250 Netphen, Germany
+49 271 708-1643 (Tel.)
E-Mail: carsten.d...@t-systems.com
http://www.t-systems.com, http://www.telesec.de
Kathleen Wilson
May 7, 2012, 4:19:12 PM5/7/12
to mozilla-dev-s...@lists.mozilla.org
On 4/30/12 4:28 AM, Carsten.D...@t-systems.com wrote:
> Hi Charles,
>
>
> T-Systems owns different roots which allows external Sub-CAs to be issued. Anyhow - the one under discussion is definitely not allowed to do so. This should be stated within the CPS explicitly.
> I just double-checked the CPS - I will take care of this issue raised and we will provide a new version of the CPS once the discussion is closed.
>
> The document's change log (history) will show which sections have been amended or worked on.
>
> Does this address your concern?
>
> Kind regards
> Carsten
>
Charles, have your questions been sufficiently addressed?
> Hi Charles,
>
>
> T-Systems owns different roots which allows external Sub-CAs to be issued. Anyhow - the one under discussion is definitely not allowed to do so. This should be stated within the CPS explicitly.
> I just double-checked the CPS - I will take care of this issue raised and we will provide a new version of the CPS once the discussion is closed.
>
> The document's change log (history) will show which sections have been amended or worked on.
>
> Does this address your concern?
>
> Kind regards
> Carsten
>
All, Are there any further comments/questions regarding this request
from T-Systems to add the “T-TeleSec GlobalRoot Class 3” root
certificate, turn on the Websites trust bit, and enable EV?
Thanks,
Kathleen
Charles Reiss
May 7, 2012, 5:28:10 PM5/7/12
to mozilla-dev-s...@lists.mozilla.org
On 5/7/12 1:19 PM, Kathleen Wilson wrote:
> Charles, have your questions been sufficiently addressed?
Yes.
> Charles, have your questions been sufficiently addressed?
Carsten.D...@t-systems.com
May 9, 2012, 6:06:23 AM5/9/12
to kwi...@mozilla.com, wogg...@gmail.com, mozilla-dev-s...@lists.mozilla.org
Kathleen, Charles,
I have created a draft version 1.3.1 of the CPS "T-TeleSec GlobalRoot Class 3" which includes the appropriate changes. Now the CPS should be very clear, that this Root CA does not allow any external Sub-CA (see change history for details). A PDF version was attached to the relevant bug.
In case there would be no further issues raised which needs changes to the CPS, we will finalize this version and push it to our website once it is approved.
For your convenience here are some direct links:
Mozilla 669849 - Add T-Systems Root CA Certificate and enable it for EV:
https://bugzilla.mozilla.org/show_bug.cgi?id=669849
Download link for CPS version 1.3.1:
https://bug669849.bugzilla.mozilla.org/attachment.cgi?id=622322
Kind regards,
>
> Thanks,
> Kathleen
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
I have created a draft version 1.3.1 of the CPS "T-TeleSec GlobalRoot Class 3" which includes the appropriate changes. Now the CPS should be very clear, that this Root CA does not allow any external Sub-CA (see change history for details). A PDF version was attached to the relevant bug.
In case there would be no further issues raised which needs changes to the CPS, we will finalize this version and push it to our website once it is approved.
For your convenience here are some direct links:
Mozilla 669849 - Add T-Systems Root CA Certificate and enable it for EV:
https://bugzilla.mozilla.org/show_bug.cgi?id=669849
Download link for CPS version 1.3.1:
https://bug669849.bugzilla.mozilla.org/attachment.cgi?id=622322
Kind regards,
Carsten
Carsten Dahlenkamp
T-Systems International GmbH
Trust Center Applications
Untere Industriestraße 20, 57250 Netphen, Germany
+49 271 708-1643 (Tel.)
E-Mail: carsten.d...@t-systems.com
http://www.t-systems.com, http://www.telesec.de
Carsten Dahlenkamp
T-Systems International GmbH
Trust Center Applications
Untere Industriestraße 20, 57250 Netphen, Germany
+49 271 708-1643 (Tel.)
E-Mail: carsten.d...@t-systems.com
http://www.t-systems.com, http://www.telesec.de
> -----Original Message-----
> From: dev-security-policy-bounces+carsten.dahlenkamp=t-
> syste...@lists.mozilla.org [mailto:dev-security-policy-
> bounces+carsten.dahlenkamp=t-syst...@lists.mozilla.org] On Behalf
> Of Kathleen Wilson
> Sent: Monday, May 07, 2012 10:19 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: T-Systems Additional Root Inclusion Request
>
> On 4/30/12 4:28 AM, Carsten.D...@t-systems.com wrote:
> From: dev-security-policy-bounces+carsten.dahlenkamp=t-
> syste...@lists.mozilla.org [mailto:dev-security-policy-
> bounces+carsten.dahlenkamp=t-syst...@lists.mozilla.org] On Behalf
> Of Kathleen Wilson
> Sent: Monday, May 07, 2012 10:19 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: T-Systems Additional Root Inclusion Request
>
> On 4/30/12 4:28 AM, Carsten.D...@t-systems.com wrote:
> > Hi Charles,
> >
> >
> > T-Systems owns different roots which allows external Sub-CAs to be
> issued. Anyhow - the one under discussion is definitely not allowed to
> do so. This should be stated within the CPS explicitly.
> > I just double-checked the CPS - I will take care of this issue
> raised and we will provide a new version of the CPS once the
> discussion is closed.
> >
> > The document's change log (history) will show which sections have
> been amended or worked on.
> >
> > Does this address your concern?
> >
> > Kind regards
> > Carsten
> >
>
>
> >
> >
> > T-Systems owns different roots which allows external Sub-CAs to be
> issued. Anyhow - the one under discussion is definitely not allowed to
> do so. This should be stated within the CPS explicitly.
> > I just double-checked the CPS - I will take care of this issue
> raised and we will provide a new version of the CPS once the
> discussion is closed.
> >
> > The document's change log (history) will show which sections have
> been amended or worked on.
> >
> > Does this address your concern?
> >
> > Kind regards
> > Carsten
> >
>
>
> Charles, have your questions been sufficiently addressed?
>
> All, Are there any further comments/questions regarding this request
>
> from T-Systems to add the "T-TeleSec GlobalRoot Class 3" root
> certificate, turn on the Websites trust bit, and enable EV?
>
> Thanks,
> Kathleen
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Kathleen Wilson
May 14, 2012, 12:45:38 PM5/14/12
to mozilla-dev-s...@lists.mozilla.org
On 5/9/12 3:06 AM, Carsten.D...@t-systems.com wrote:
> Kathleen, Charles,
>
> I have created a draft version 1.3.1 of the CPS "T-TeleSec GlobalRoot Class 3" which includes the appropriate changes. Now the CPS should be very clear, that this Root CA does not allow any external Sub-CA (see change history for details). A PDF version was attached to the relevant bug.
>
> In case there would be no further issues raised which needs changes to the CPS, we will finalize this version and push it to our website once it is approved.
>
> For your convenience here are some direct links:
>
> Mozilla 669849 - Add T-Systems Root CA Certificate and enable it for EV:
> https://bugzilla.mozilla.org/show_bug.cgi?id=669849
>
> Download link for CPS version 1.3.1:
> https://bug669849.bugzilla.mozilla.org/attachment.cgi?id=622322
>
>
I believe that the questions that have been raised during this
> Kathleen, Charles,
>
> I have created a draft version 1.3.1 of the CPS "T-TeleSec GlobalRoot Class 3" which includes the appropriate changes. Now the CPS should be very clear, that this Root CA does not allow any external Sub-CA (see change history for details). A PDF version was attached to the relevant bug.
>
> In case there would be no further issues raised which needs changes to the CPS, we will finalize this version and push it to our website once it is approved.
>
> For your convenience here are some direct links:
>
> Mozilla 669849 - Add T-Systems Root CA Certificate and enable it for EV:
> https://bugzilla.mozilla.org/show_bug.cgi?id=669849
>
> Download link for CPS version 1.3.1:
> https://bug669849.bugzilla.mozilla.org/attachment.cgi?id=622322
>
>
discussion have been appropriately addressed.
Please reply if you have further questions/comments on this request from
T-Systems to add the “T-TeleSec GlobalRoot Class 3” root certificate,
turn on the Websites trust bit, and enable EV. Otherwise, I will close
this discussion and recommend approval in the bug.
Thanks,
Kathleen
Kathleen Wilson
May 23, 2012, 3:22:21 PM5/23/12
to mozilla-dev-s...@lists.mozilla.org
On 4/27/12 1:41 PM, Kathleen Wilson wrote:
> T-Systems has applied to add the “T-TeleSec GlobalRoot Class 3” root
> certificate, turn on the Websites trust bit, and enable EV.
>
> T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=669849
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#T-Systems
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=619163
>
> Noteworthy points:
>
> * The primary documents are the CP, CPS, and the ServerPass CP/CPS. The
> documents are provided in English.
>
> Document Repository: http://www.telesec.de/pki/roots.html
> ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
> ServerPass CP/CPS (English):
> https://bugzilla.mozilla.org/attachment.cgi?id=555341
> CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
> CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
>
> This is an offline root that will have internally-operated subordinate
> CAs corresponding to the high security services that are offered.
>
> The request is to turn on the Websites trust bit.
>
Thanks again to those of you who have reviewed and commented on this
> certificate, turn on the Websites trust bit, and enable EV.
>
> T-Systems is a wholly-owned subsidiary of Deutsche Telekom AG.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=669849
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#T-Systems
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=619163
>
> Noteworthy points:
>
> * The primary documents are the CP, CPS, and the ServerPass CP/CPS. The
> documents are provided in English.
>
> Document Repository: http://www.telesec.de/pki/roots.html
> ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
> ServerPass CP/CPS (English):
> https://bugzilla.mozilla.org/attachment.cgi?id=555341
> CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
> CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
>
> This is an offline root that will have internally-operated subordinate
> CAs corresponding to the high security services that are offered.
>
> The request is to turn on the Websites trust bit.
>
request.
The concern about potential subCAs was addressed by T-Systems updating
the CPS section 1.3.1 to add the text:
“Issuing of external sub CA certificates is not offered under this root CA.”
There is one action item resulting from this discussion that will be
tracked in the bug:
ACTION T-Systems: Make the draft version 1.3.1 of the CPS official and
post a comment in the bug when the new CPS is available on their website.
I am now closing this discussion, and I will post a summary of this
request and my recommendation for approval in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=669849
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
0 new messages