> Hi Tanaka-san, > > Thanks for this email, and for relooking into Netrust's accreditation. My > comments are provided below: > > Comment 1 - Netrust's Root CA. > Netrust CA1 was setup in 2001. In 2001, and even presently, most public CAs > do not have the basicContraint marked as 'critical'. A scan through the Root > Store of the Microsoft browser would testify to this. For CAs that have the > basicContraint marked as 'critical', there would be problems with > applications that do not know how to handle this. > > Regardless of whether the basicContraint is marked 'critical' or not, at the > applications level, it would still be possible to read the basicContraint. > Netrust's CA pathLength Constraint is set to 'none', as in most other public > CAs. Thus there is really no impact on GRID applications. As far as both IGTF Classic AP and RFC 3280 describe "basicConstraints MUST be marked as critical", it is not easy to propose to drop off MUST to SHOULD as we did for keyUsage. There could be some options though I'm not sure which will be acceptable by Netrust: (1) Modify profile to mark basicConstraints as critical. -> I don't think this is acceptable. (2) Launch a subordinate CA which comply with the Classic AP (as SWITCH CA is doing). -> I heard that it is not easy... (3) Approve Netrust as an exception. -> I don't know how to explain the reason to the other PMAs... I still have no answer. > Comment 2 - Should 'serial number' be used. > Netrust's NetIDs are issued to persons, and the Serial Number serves an > important purpose of uniquely identifying individuals with the same name. > This is also common practice. Thus, the more logical proposition is for > systems that are still using the non-standard OpenSSL of versions 0.9.6 and > below, to upgrade to version 0.9.7+, to resolve the potential problem with > authorisation. As you mentioned, upgrading to version 0.9.7+ should be the right solution, but as far as issuing certificates for Grid applications which may cause troubles in using certificates which contain serial number, I think you shouldn't issue certificates, which include serial number in the subject DN, for Grid use. > Comment 3 - Publishing of Netrust CPS/ CP > Netrust currently publishes only the latest versions of the CP/ CPS. In the > latest version, the change history is also recorded, and it provides > sufficient information on the changes that have been made. Older versions > are available upon request, however, Netrust can have previous versions made > available on the website, if required by APGRID. OK. Thanks,