Eddy Nigg (StartCom Ltd.) wrote: > Frank Hecker wrote: >> I've received a request from the NSS development team that I approve >> inclusion of the VeriSign EV root CA certificate in the new version of >> NSS to be included in Firefox 3, so that developers and others may test >> out the new EV-related functionality in NSS and Firefox 3 beta releases. >> >> Unless anyone has strong and principled objections I'm going to approve >> this request.
> I would like to raise a few questions here. As Wan-Teh indicated, this > is an entirely new root and not the flagging of an existing root as EV. > > The Mozilla CA policy states clearly under section 14 that a CA should > submit a formal request by submitting a bug report > <https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates> > > into the mozilla.org Bugzilla system, filed against the "CA > Certificates" component of the "mozilla.org" product. The request should > include the following....etc..etc... > > In addition to that, a practice and process has been developed which > includes the involvement of the community for the acceptance of a CA > root. This gives the community members the chance to validate the > information and raise eventual issues and concerns. In this, as in any > other case I think it's appropriate to follow the same rules for all. It > is even more important when we are talking about the market leader! > > Additionally without Mozilla having formal request which indicates that > the CA in question wants to have the root published in this software at > all, there might be legal concerns as well. [snip] Frank, In the past, Gerv rejected all CA cert requests that did not originate from a representative of the CA itself, citing the policy. By honoring a request to include the Verisign CA cert, which request did not originate with a representative of the CA, this is an implicit change in practice regarding the policy. I think we should be absolutely consistent with regard to this aspect of the policy. If we decide, now, that we ARE willing to accept requests from third parties, then I think we should go back to the recently rejected requests (in bugzilla) and reopen them and reconsider them. Note that several requests have been sent to the members of the CABForum, inviting them (begging them? :) to submit their new root CA requests to mozilla (through bugzilla), and those requests for requests have been largely ignored. Most of the CABForum CAs have not yet filed requests for inclusion of their root CA certs in bugzilla. I mention this because it may come to pass that, in order for EV to be perceived by users as working in Firefox, it will be necessary for mozilla to consider adding certs for CAs that have NOT requested the addition of their certs. So, I think we should be prepared for the possibility that the requests simply will not have arrived by the time FF3 is ready to ship. Perhaps you should consider asking the CABForum members, again, to apply for inclusion of their EV roots in mozilla products. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
