Today I reviewed this application for the inclusion of the eSignTrust Root Certification Authority (G03) (for email trust bit).
Here are some things we still need:
1 - The CPS needs to explain the email verification process in greater detail. It currently does not meet Mozilla requirements.
2 - We need the full CA hierarchy under the Root. Macao Post needs to add records for all existing intermediate certificates into the CCADB
3 - The CPS needs a Revision Table or Changelog, updated annually.
4 - The CCADB application indicates that External Third Party CAs and RAs are allowed under the PKI hierarchy, therefore we need to have written assurances in the CPS that the domain part of verification will not be delegated to any third party. ("The CA SHALL NOT delegate validation of the domain portion of an email address. The CA MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification." Mozilla Root Store Policy section 2.2.) We'll also need more explanation of how delegated third party CAs will be chosen, authorized, and overseen. (When an external third party is provided a CA certificate, there is the potential to lose control over certification practices, etc. Yet, Mozilla will still hold the root operator fully responsible, and the negligence of a third party CA can result in the revocation of trust of the Root CA.