Kaspar Brand wrote: > > Alaric Dailey wrote: > > I'd like to remind the participants, that StartCom has already one CA root > > in the NSS store which was approved less then a year ago:
> That doesn't imply everything was perfect with this application at that > time. Have you ever seen a root certificate with a nonRepudiation > keyUsage extension? Yes, Startcom's current one does have that... Or, > what RSA key size would you use for a 30-year root issued in 2005? > Startcom thinks 1024 is enough... This is maybe unfortunate, but perhaps the reason for the current request, is to correct the shortcomings of the current root. Perhaps there were other concerns as well, like the ability for mobile devices, or appliances like a Cisco firewall to handle a larger root (I happen to know that the huge root size of CAcert has caused such issues). Look at the CA policy and structure of the StartCom CA before coming to any conclusions. If you prefer CAs which issue certs for 10 years (also in Mozilla NSS) then be my guest, I'll stick with StartCom CA and their issuance policy of certs. Also even if this is a minor shortcoming, it doesn't prevent StartCom from functioning correctly, including the handling of its keys. > The StartCom CA is also included in Apple > Can't find them in /System/Library/Keychains/X509Anchors on an OS X > 10.4.9 system - where did you get your copy of the OS from? It is scheduled in one of the next updates and will be present in Leopard. The "problem" tracking system of Apple and http://cert.startcom.org/?app=140 confirms this. > This is a request for an additional root according to > https://bugzilla.mozilla.org/show_bug.cgi?id=362304 and as I see it, this > request confirms to the Mozilla CA policy in full. > This CA was last "audited" at the end of 2005 (more than one and a half > year ago), by a third party whose qualification is certainly debatable - > and based on last year's decision, the application should now just be > routinely approved? There were CAs approved in the past with non-webtrust audits much older then that. Just see http://hecker.org/mozilla/ca-certificate-list > > David E. Ross wrote: > > I believe the key issues with certificate authorities relate to > > whether they are operating in a computer-based environment correctly. > > The technology issues outweigh the business issues. Thus, when > > determining who is a "Competent Party", we must be careful not to > > allow the "auditing" mislead us into looking for the wrong > > qualifications. > So, leaving aside the lack of auditing expertise of the consulting > company in question, do you really think they were a "competent party" > when they looked at Startcom (and its home grown root cert) in 2005? This is what they are correcting with this request and this additional root was issued in Sept. 06, so it doesn't come out of the blue. It seems that StartCom is well aware of any shortcomings and with correcting it just speaks in favor for them. Also it is known that some CAs will have to replace their roots within the next few years too for the same reasons. Much more important is the handling of the CA keys (StartCom root is a strictly off-line CA), issuance policy and procedures in place! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
