© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Thank you for the information.
>“The main purpose of certificates issued by FNMT-RCM Certification Authority
> is user identity authentication nor digitally sign and/or encryption email
> messages. The email is only used as contact method to send information to
>users”.
Then the requested trust bits should not include email (S/MIME). The requested trust bits should only be websites (SSL/TLS) and Code Signing. Do you agree?
In regards to the existing audit, I have submitted a request via the BSI website to verify the authenticity of the audit statement as per Mozilla policy. Once the old audit is verified, I think we can proceed with evaluation of this request.
The existing audit has expired, so an updated audit will probably be needed before final inclusion.
>Long-Lived Domain-Validated SSL certs
>“DV certificates issued by FNMT-RCM CA has four year of validity period. Do
>you mind that four years is very large? In any case, we only issue DV
>certificates to very contrasted legal entities (public or private)”.
I am not sure what “contrasted legal entities” means.
This is only a concern for SSL certs in which the identity or organization of the owner of the certificate has not been verified. If you issue 4-year certs in which only the domain name has been verified, then the certs are subject to the issue described in
https:/
>“The CRLs issued by FNMT-RCM CA have the CRL Issuing Distribution Point
>extension flagged as critical as X509 recommends.”
This is problematic because Firefox will return the error code ffffe095 when attempting to load a CRL with the critical CIDP. It is highly recommended that you don’t make this extension critical until this has been resolved in Firefox, which is still TBD.