Comment 142 for bug 232340
Revision history for this message
|
|
#142 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
My apologies for the delay in getting to this bug. I updated my list at <http://
At this point we have enough information to evaluate this CA for inclusion, per the official CA policy at
http://
Here are my quick thoughts on StartCom vis-a-vis the policy's requirements:
Section 4. I'm not aware of any technical issues with StartCom-issued certificates. If any sees any technical problems with the certs themselves please note it in this bug report.
Section 6. StartCom appears to provide a service relevant to Mozilla users: It issues no-charge certificates for SSL server use as well an personal email certificates. Policies are documented in the overall policy document and intermediate CA document published on the StartCom site and listed in the ca-certificate-list page referenced above.
Section 7. StartCom appears to meet the minimum requirements for subscriber verification: For class 1 personal certificates Startcom verifies that the entity submitting the request controls the email account associated with the email address referenced in the certificate. (See page 16 of the policy document.) For class 1 SSL server certificates StartCom verifies domain control by sending an email to one of the standard addresses (webmaster@domain, etc.) associated with the domain. (See page 15 of the policy document.) StartCom also issues class 2 personal and server certs, with additional verification required. StartCom does not currently issue code signing certs.
Section 8-10. StartCom has successfully completed an independent audit using the WebTrust for CAs criteria. The auditors were We! Consulting.
Section 13. StartCom has multiple intermediate CAs under a single root. Class 1 certificates are issued under different intermediates than class 2, etc.
Other: StartCom issues CRLs (on a 12-hour schedule) and also has an OCSP responder.
Some open questions:
1. Given the obvious possibility of StartCom's service being used to obtain free SSL certs for phishing sites, what is StartCom's strategy to deal with possible fraudulent use of the service? Is it limited to certificate revocation based on reports of possible fraud, or are other measures in place or planned?
2. StartCom doesn't appear to have an official WebTrust seal. why?
3. CRL publication is on a 12-hour schedule. Is the OCSP responder's data from the CRLs (and thus might be up to 12 hours old) or is it more up-to-date?
I'm opening up a period of public discussion of this request. I'll post on the mozilla.