Alaric Dailey wrote: > I'd like to remind the participants, that StartCom has already one CA root > in the NSS store which was approved less then a year ago:
That doesn't imply everything was perfect with this application at that time. Have you ever seen a root certificate with a nonRepudiation keyUsage extension? Yes, Startcom's current one does have that... Or, what RSA key size would you use for a 30-year root issued in 2005? Startcom thinks 1024 is enough... > The StartCom CA is also included in Apple Can't find them in /System/Library/Keychains/X509Anchors on an OS X 10.4.9 system - where did you get your copy of the OS from? > This is a request for an additional root according to > https://bugzilla.mozilla.org/show_bug.cgi?id=362304 and as I see it, this > request confirms to the Mozilla CA policy in full. This CA was last "audited" at the end of 2005 (more than one and a half year ago), by a third party whose qualification is certainly debatable - and based on last year's decision, the application should now just be routinely approved? David E. Ross wrote: > I believe the key issues with certificate authorities relate to > whether they are operating in a computer-based environment correctly. > The technology issues outweigh the business issues. Thus, when > determining who is a "Competent Party", we must be careful not to > allow the "auditing" mislead us into looking for the wrong > qualifications. So, leaving aside the lack of auditing expertise of the consulting company in question, do you really think they were a "competent party" when they looked at Startcom (and its home grown root cert) in 2005? Kaspar _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
