Merely commenting on matters of fact: Kaspar Brand wrote: > That doesn't imply everything was perfect with this application at that > time. Have you ever seen a root certificate with a nonRepudiation > keyUsage extension? Yes, Startcom's current one does have that... Or, > what RSA key size would you use for a 30-year root issued in 2005? > Startcom thinks 1024 is enough...
The purpose of this application is not to re-evaluate a previous application or the suitability of a previous certificate, but to evaluate the current one. > This CA was last "audited" at the end of 2005 (more than one and a half > year ago), by a third party whose qualification is certainly debatable - > and based on last year's decision, the application should now just be > routinely approved? There is nothing in the CA Certificate Policy which requires a particular audit frequency. There has been a suggestion that this is changed, and this suggestion will be discussed during the next round of policy updates. https://bugzilla.mozilla.org/show_bug.cgi?id=381850 > So, leaving aside the lack of auditing expertise of the consulting > company in question, do you really think they were a "competent party" > when they looked at Startcom (and its home grown root cert) in 2005? Again, it is not within the scope of this application to re-evaluate this decision, unless further information comes to light on the independence and/or competence of the auditors. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
