Frank Hecker wrote: > Eddy Nigg (StartCom Ltd.) wrote: > <snip> > >> ... _I'm requesting >> hereby and now to have thorough review of this situation and >> reassessment_ of the Mozilla CA policy concerning everything related to >> sub-ordinated CAs. >> > > This is a good discussion to have, and I agree that it's a timely issue. >
I'm very glad to see you supporting my request! > I'd only add that I think in addition to the policy itself, we also need > to discuss the surrounding context as well. This includes some of the > technical issues that have been raised in various bugs: to what extent > CAs implement name constraining mechanisms, and how well-supported they > are by NSS; revocation checking for subordinate CA certificates; and so on. > Agreed, which is a precondition on solving the tasks in front of us... > >> In connection of this request, I'd also like to have cross-signing >> between CA roots defined in the Mozilla CA policy, since cross-signing >> might touch a similar field, which could at some point land us in a >> similar situation of loosing control. >> > > Again, there are technical issues here I'm not fully clear on, relating > to how NSS handles cross-signing in various contexts, including cases > where cross-signing causes there to be multiple possible paths from an > end entity certificate to a trust anchor. > Neither I am, but I guess Nelson will be able to help us make this clearer to us. > Any policy revision is going to have to take the above-mentioned (and > possibly other) technical issues. So my personal priority is first > getting definitive answers on the state of these issues today, and how > we can reasonably expect that state to change in the future (e.g., based > on NSS enhancements and fixes already planned, or those that might be > possible assuming additional funding from the Mozilla Foundation or > whomever). Excellent! As we receive answers on the various open questions mentioned above, I'll try to summarize the current situation generally with the existing and to-be-included CAs and EV upgrades and make possible suggestions. Obviously I'd really like to see all the others doing the same and help in this effort! -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
