Frank Hecker wrote: > I'm not sure what you mean by "cosmetically", With "cosmetic" I mean that nothing prevents a CA to establish the needed OID chain NSS will be looking for. There is (almost) no difference between issuing an intermediate CA certificate and issuing one with the needed OID. This is what I wanted to have confirmed explicitly by somebody else then me! > but you are correct that > once we approve a root for EV then the root can create EV-capable > subordinate CAs at will, and we don't currently have the fine-grained > control in NSS that would allow overriding that if needed or wanted > (e.g., if we want to deny one particular subordinate the ability to > issue EV certs). > Which raises at least with me the question, if this is indeed what was envisioned when Mozilla decided to endorse EV as a better PKI model. Or are people like Kyle perhaps rightfully thinking that he's being cheated on by some CAs? I'm quoting a recent statement by Kyle:
"The end result is that anyone who chooses to spend a hundred thousand bucks or so on a single audit can then go around selling the benefit of their inclusion in the trust list to the highest bidder without fear of repercussion. Which is what they've been doing. And nobody has the balls to stand up and say "user security is more important than user convenience". (In addition, roots have been sold to other companies, which have not passed continuing conformance audits.)" It seems to me, even so I believed that EV will change that, nothing will change in that respect, specially the vetting of the issuing CAs. This was one of the arguments mentioned here in favor of EV. I'd have to go through the archive of the discussions, but I'm almost certain that the audit argument was brought up various times. Now I'm asking the question, is this really what we wanted? Is this the better criteria and standard, the better auditing principals? As we are reviewing possible changes to the Mozilla policy, one of the possible suggestions I'll be making will most likely be, that CAs must have established (provable) direct control over their subordinated CAs. Another idea could be that external sub CAs would have to be audited in the same manner as the parent CA. In relation to EV, we could perhaps include only the issuing, intermediate EV CA certificate which was actually audited (since they have a path length of 0, this could guaranty that only the audited and approved CA is issuing EV certificates). There are many options possible obviously and I'm just brainstorming right now. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
