Eddy Nigg (StartCom Ltd.) wrote: <snip> > ... _I'm requesting > hereby and now to have thorough review of this situation and > reassessment_ of the Mozilla CA policy concerning everything related to > sub-ordinated CAs.
This is a good discussion to have, and I agree that it's a timely issue. I'd only add that I think in addition to the policy itself, we also need to discuss the surrounding context as well. This includes some of the technical issues that have been raised in various bugs: to what extent CAs implement name constraining mechanisms, and how well-supported they are by NSS; revocation checking for subordinate CA certificates; and so on. > In connection of this request, I'd also like to have cross-signing > between CA roots defined in the Mozilla CA policy, since cross-signing > might touch a similar field, which could at some point land us in a > similar situation of loosing control. Again, there are technical issues here I'm not fully clear on, relating to how NSS handles cross-signing in various contexts, including cases where cross-signing causes there to be multiple possible paths from an end entity certificate to a trust anchor. Any policy revision is going to have to take the above-mentioned (and possibly other) technical issues. So my personal priority is first getting definitive answers on the state of these issues today, and how we can reasonably expect that state to change in the future (e.g., based on NSS enhancements and fixes already planned, or those that might be possible assuming additional funding from the Mozilla Foundation or whomever). Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
