Frank Hecker: > GeoTrust has applied to add a new EV root CA certificate to the Mozilla > root store, as documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=407168 > > and in the pending certificates list: > > http://www.mozilla.org/projects/security/certs/pending/#GeoTrust > > I have evaluated this request, as per the mozilla.org CA certificate policy: > > http://www.mozilla.org/projects/security/certs/policy/ > > and plan to officially approve the request after a public comment period.
Just scratching on the surface of this request and I have to make the following observations: /The audit report (https://cert.webtrust.org/SealFile?seal=650&file=pdf ) says: We have examined....during the period from *July 21, 2007 through November 30, 2007*, Verisign has-- / * /Disclosed its key and certificate life cycle management business and information privacy practices in its: - GeoTrust Certification Practice Statement for....*EV*...dated *January 31, 2008*/ No matter what excuse they bring up (and I'm sure that there will be a convincing one), this doesn't look good. That happens when the market leaders meet the monopolists. Please note that this is KPMGs statement above.... Second I wonder what's the deal with Thawte's and GeoTrust's inclusion requests. As Gerv mentioned yesterday, there are about 40 others in the queue, why do they get a preferential treatment? Others wait for half a year and more just to get to this stage? I saw the entries in the bugs from Nelson pushing for their inclusion... But both CAs up for inclusion just finished submitting all relevant information *two days ago*. With all due respect, this kind of behavior by rushing their requests through the process is exactly which makes many members of the community and others feel, that it's all a game were money talks... I understand the need for FF3 to support as many EV enabled roots as possible, it simply doesn't look good! And what would happen if these roots would be included and published during one of the next updates of FF3? Would there be really such a de-valuation of FF3 if they'd have to wait a little? Are the suspicions and rants on this mailing list by some participants justified then? I'm always pointing out and praising in the public about the professional, transparent, clean and fair process a CA undergoes for inclusion at Mozilla. I wouldn't know what to say to somebody complaining about this one... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
