Hi, On Mon, 01 May 2006 16:17:58 -0700 David E. Ross wrote: > ... I would not trust any Class 1 subscriber certificate ...
On Mon, 01 May 2006 20:24:40 -0400 Frank Hecker wrote: > ...Whether one agrees that it's sufficient or not, "class 1" certificates ... As you'll recall,... the ultimate result is that the current Mozilla policy does not rule out CAs issuing such certs. ... I have to join Frank's argument. The discussion about the pros and cons of "Class 1 certificates" (and many other topics) is already finished and went into the "Mozilla CA certificat Policy" (http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html). It is even a security feature to clearly define rules and then live by them. If a change should really be required, a change management process should start, which in turn is clearly defined. Therefore for now, the only question should be: Did StartCom or all the other CAs mentioned on http://www.hecker.org/mozilla/ca-certificate-list meet or exceed the defined criteria. Are there any open questions to judge this? That's exactly what Frank asked in https://bugzilla.mozilla.org/show_bug.cgi?id=289077 and the StartCom representative answered it. So are there any further questions based on the Mozilla CA certificate Policy? If not, you probably either have to approve StartCom and schedule their cert for inclusion or state that the Mozilla Policy is wrong and has to be changed, which will imply that all CAs, which are already approved by the current policy have to be reevaluated. The revival of the "Class 1 cert discussion" shows a different issue: Further distinction based on the level of authentication is required. In Toronto on Thursday November 17, on behalf of KDE George Staikos hosted a meeting of the most popular browser vendors to discuss UI changes to reflect the different levels of trust. Plans exist for MSIE 7: http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx. In my opinion even further distinction is desirable, e.g. to which extend the CA can be held liable, but no consensus or standard exist how to do this. Christian Barmala _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
