NetLock is a CA located in Hungary. They have four root CAs: NetLock Qualified (Class QA), NetLock Notary (Class A), NetLock Business (Class B), and NetLock Express (Class C). See <http://www.hecker.org/mozilla/ca-certificate-list> for more information. NetLock apparently has completed a WebTrust for CA audit (by Ernst & Young), but the CA is not listed on the WebTrust "sites with seals" page, and I can't find any other online information regarding their WebTrust status. See also bug 277797 concerning a problem importing one of the NetLock certificates. Approval of NetLock CA certificates for inclusion in Mozilla-related software will depend on resolving the question of NetLock's WebTrust status and (possibly) resolving bug 277797.

We can't add this CA's "qualified" CA cert until bug 277797 is resolved.

I got a copy of the NetLock audit report (in the form of JPEG page images scanned in from the original paper document) and have linked to it from <http://www.hecker.org/mozilla/ca-certificate-list>. This appears to satisfy the requirement for a WebTrust/WebTrust-equivalent audit. The remaining issues appear to be as follows: 1. The issue with the Qualified CA discussed in bug 277797. IMO this doesn't affect my approval of NetLock in general, it simply affects when/if the Qualified CA root certificate can be actually added. 2. The recommended trust bits for the various NetLock CA certificates. This is not strictly speaking needed for my approval, but *is* needed for the actual addition of the certificates to NSS. I need answers to the following questions for each of the four CAs (qualified/notary/business/express): a. Does the CA issue certificates for use by SSL-enabled web servers (or other SS-enabled servers)? b. Does the CA issue certificates for use in sending/receiving signed and/or encrypted email? P.S. Also accepting this bug -- I forgot to do this earlier. c. Does the CA issue certificates for use by software developers creating digitally signed code objects (e.g., Java applets, ActiveX controls, etc.)?

> 2. The recommended trust bits for the various NetLock CA certificates. This is > not strictly speaking needed for my approval, but *is* needed for the actual > addition of the certificates to NSS. I need answers to the following questions > for each of the four CAs (qualified/notary/business/express): My answers are in the same order. > a. Does the CA issue certificates for use by SSL-enabled web servers (or other > SS-enabled servers)? no/yes/yes/yes > b. Does the CA issue certificates for use in sending/receiving signed and/or > encrypted email? yes/yes/yes/yes > c. Does the CA issue certificates for use by software developers creating > digitally signed code objects (e.g., Java applets, ActiveX controls, etc.)? yes/yes/yes/yes So, except the qualified, all of them are used to all the purposes, the only difference that the qualified isn't issue SSL certificates. Thanks for your help.

I'm approving this request based on NetLock's successful completion of a WebTrust audit, and have filed bug 280744 for the actual addition of the certs to NSS.

Current Status NetLock Notary (Class A), NetLock Business (Class B), and NetLock Express (Class C) have been added to NSS. They will be in Mozilla 1.8 Beta 2 and Firefox/Thunderbird ("Aviary") 1.1 Alpha. NetLock Qualified (Class QA) has not been added to NSS because of bug 277797.

Bug 313942 now requests inclusion of the new Netlock Class QA root cert. The other CA certs requested in this RFE have been completed. So I'm marking this resolved/fixed.