Frank Hecker wrote: > I've received a request from the NSS development team that I approve > inclusion of the VeriSign EV root CA certificate in the new version of > NSS to be included in Firefox 3, so that developers and others may test > out the new EV-related functionality in NSS and Firefox 3 beta releases. > > Unless anyone has strong and principled objections I'm going to approve > this request. I would like to raise a few questions here. As Wan-Teh indicated, this is an entirely new root and not the flagging of an existing root as EV.
The Mozilla CA policy states clearly under section 14 that a CA should submit a formal request by submitting a bug report <https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates> into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "mozilla.org" product. The request should include the following....etc..etc... In addition to that, a practice and process has been developed which includes the involvement of the community for the acceptance of a CA root. This gives the community members the chance to validate the information and raise eventual issues and concerns. In this, as in any other case I think it's appropriate to follow the same rules for all. It is even more important when we are talking about the market leader! Additionally without Mozilla having formal request which indicates that the CA in question wants to have the root published in this software at all, there might be legal concerns as well. Otherwise why not include this CA root: http://www.verisign.com/repository/roots/pca_certificate.html CA roots are first of all the property of the CA and by making a formal request the CA indicates the interest in having the root included in the software. It also implies to some extend that the CA in question wants to adhere to the Mozilla CA policy...There are more factors and legalese involved, but I guess I'm making the point here.... If there is a need to test EV-related functionality in NSS and Firefox 3 beta releases, than there are other CAs which have been admitted recently which would conform to the "to-be-published" updated Mozilla CA policy. Should the CA certificate in question be chained to an existing root nevertheless, than this should be only a minor and formal issue and you can disregard the said above. In such a case, I'd only have some technical and practical questions. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
