On Sun, 2013-02-10 at 17:15 +0100, Thijs Kinkhorst wrote: > On Sun, February 10, 2013 15:52, Ben Hutchings wrote: > > On Sun, 2013-02-10 at 12:38 +0100, Florian Weimer wrote: > >> * Ben Hutchings: > >> > >> > According to > >> > <https://www.globalsign.com/certificate-authority-root-signing/>, any > >> > organisation may buy a secondary CA certificate signed by one of > >> > GlobalSign's root CA certificates. These should therefore not be > >> > trusted by default. > >> > >> This is actually true for many of the roots. > >> > >> You should bring this up on the Mozilla lists, I think. > > > > I know that many CAs issue secondaries to other organisations. The > > question then is how careful they are about vetting and auditing the > > other organisations. This page and the linked 'datasheet' basically say > > 'pay us to make your internal CA trusted by everyone'. > > I disagree that they say that. Obviously, these are high-level one-page > marketing descriptions that lack any technical implementation detail, > including policies on audits and vetting.
Actually some technical details are on that 'datasheet', such as a list of browsers and operating systems that trust the GlobalSign root CA. > That is no surprise as this is > not intended to be a CP/CPS. The page for example also doesn't detail a > pricing scheme, although I'm very certain that there is one. Sure, it explicitly says 'request a quote'. > I don't think we should be making any decision based on single page > leaflet texts. A CP/CPS is a much more useful document to base on. The > Mozilla inclusion process encompasses review of such documents. You're probably right, though marketing seems to be a relevant consideration when assessing what their actual practices are. Ben. -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett
signature.asc
Description: This is a digitally signed message part
