I'm finally getting back to working on requests for CA for their root
certificates to be included in NSS/Mozilla. (Yes, I suck for leaving
this undone for so long; my apologies.)
The first one I'm working on is for StartCom Ltd., bug 289077:
https://bugzilla.mozilla.org/show_bug.cgi?id=289077
StartCom issues class 1 ("low assurance") and class 2 SSL and email
certs. They've successfully completed an independent audit using the
WebTrust for CAs criteria. Leaving aside a couple of open questions (as
noted in the bug) StartCom appears to meet the requirements of our
current CA cert policy.
The main "twist" in this case is that StartCom offers class 1
certificates at no charge, with an automated verification process
(basically sending emails to standard addresses for domains with an
authorization code to be "entered" by clicking a link back to the
StartCom site). There's an obvious concern about this service being used
fraudulently by phishers, and a philosophical issue about whether we
should ever approve a no-charge CA that uses automated verification. (A
no-charge CA with a more rigorous verification procedure would be a
different issue.)
On the flip side, having to pay to register domain names has proved to
not be an obstacle for phishers (especially when you can pay for them
with stolen credit cards), and the lowest current prices for SSL certs
($15/year) are comparable to domain name registration fees. So it's not
clear that this would worsen the situation from where it already is.
Feel free to comment on the bug regarding this specific application. If
you have more general comments (i.e., not necessarily related to
StartCom) please use the newsgroup/mailing list instead.
I'm going to allow a 1-2 week comment period for this request (depending
on how many comments I get), and then I'll make a decision on this request.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
