Eddy Nigg (StartCom Ltd.) wrote, On 2008-03-05 11:01: > Second I wonder what's the deal with Thawte's and GeoTrust's inclusion > requests. As Gerv mentioned yesterday, there are about 40 others in the > queue, why do they get a preferential treatment? Others wait for half a > year and more just to get to this stage? I saw the entries in the bugs > from Nelson pushing for their inclusion...
Eddy, I haven't pushed for the inclusion of any CA or any CA cert. Let me tell you what I have done for the CA request queue this week. Recently, I received emails from representatives of a number of CAs, all asking "what is the status of our CA cert request?" I looked at their bugs in bugzilla, and for some of them, I myself could not figure it out from the information in the bug reports. Then I went and looked at the "pending" page, http://www.mozilla.org/projects/security/certs/pending/index.xml And saw lots of color coded information there. Personally, I found the particular presentation on that page to be difficult to quickly grasp. I wanted, but did not find, a summary table. So I made one, using bugzilla. I took the status information in the pending page and updated the individual bugzilla bugs with it. For every CA listed on the pending page whose request bug is still open, I updated it with the status from the pending page. I also changed the bug summaries of (nearly all) those bugs to have a similar concise syntax, so one can see at a glance which CA is the subject of the bug, and whether the request is for EV, or not. This had several immediate effects. 1) When I look at the bugzilla bug list of open root CA requests, at > https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&product=mozilla.org&component=CA+Certificates&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_severity=enhancement&chfieldfrom=2004-04-01&chfieldto=Now&chfield=%5BBug+creation%5D&cmdtype=doit I now immediately see the status information of every bug. To do that, I view these columns: ID, (Date) Opened, Whiteboard, Full Summary. The whiteboard column now shows the status info. I can now easily see that 18 of the 42 open requests have no status information because they are NOT yet listed on the pending page. 2) I noticed that quite a few CAs listed on the Pending page have had their requests completely resolved, either by having their certs included, or by being rejected. I would like to see the entries for the CAs that are now included moved from the pending page to the "included" page, http://www.mozilla.org/projects/security/certs/included/index.xml and I'd like to see another new page that lists the negatively resolved requests. 3) It had the predictable effect of causing a number of those CAs to respond saying (in effect) "Oh, our application is incomplete? What are we missing?" IMO, that was useful to get the process moving for them again. 4) It also had the effect of causing Frank to notice that some of that info was out of date, and so there were some immediate updates to the Pending page. I then carried those updates to the bugzilla bugs. 5) I think there are still some discrepancies. For example, the Pending page says that bug 335197 "Add KISA root CA Certificate" is in "public discussion" state, but after studying the bug, I conclude that it is NOT yet in that state. Frank's most recent comment suggests he has more review to do on it. I think the "Information Probably Complete" state is more accurate for that request. In any case, none of this work was "pushing" any particular CAs for inclusion. My motivation was enable anyone to see, at a glance, what stage each request is in, and which requests have gotten an initial examination and which ones have not, and thereby make it easier to differentiate certs that are truly in process from those that are not. Apart from this "book keeping" task that I have done, I have no more control over the request evaluation process than you do. > I understand the need for FF3 to support as many EV enabled roots as > possible, it simply doesn't look good! And what would happen if these > roots would be included and published during one of the next updates of > FF3? Would there be really such a de-valuation of FF3 if they'd have to > wait a little? As an observer of the process, here's what I think (opine, speculate) is going on. I think it's safe to say that the backlog of root CA requests will not have been entirely cleared by the time FF3 ships. So, some sort of ordering or prioritization of those requests seems logical. One possible order is First-In-First-Out, and that obviously isn't the order being used. I think Mozilla desires to maximize the number of issued certs that will be recognized as valid by FF3 when it ships, in order to minimize the number of complaints from FF3 users about their favorite site's certs being unrecognized. I think that has led to an approximate ordering of the requests from biggest (most certs issued) to smallest (least certs issued), and from requests that take the least time to evaluate to those that take the most time to evaluate. It appears to me that each request to add a new cert (or certs) for a CA whose certs are not already in the list takes roughly the same amount of time to evaluate, whether that CA serves tens of certs or thousands of certs. It appears to me that the requests to give EV approval to certs already in FF's root list takes much less time to evaluate than requests for certs not yet included in the list. So, it wouldn't surprise me at all to see that priority is given to the requests for upgrading certs that are already in the list. Those are my observations and educated (?) guesses. For those CAs' requests that have reached the "Information Confirmed Complete" state, I would like to see them be processed in more-or-less FIFO order from the time at which they reach that state. But I am sympathetic to the desire to maximize the number of certs that will work for FF3 users. > Are the suspicions and rants on this mailing list by some participants > justified then? I'm always pointing out and praising in the public about > the professional, transparent, clean and fair process a CA undergoes for > inclusion at Mozilla. I wouldn't know what to say to somebody > complaining about this one... If I'm right that Mozilla has chosen to order the requests in decreasing order by number of certs issued (or equivalently, https server market share) I think it would be good for Mozilla to publish that fact. I believe that it is always wise to set people's expectations in line with the most likely outcomes. Better they should know what to expect than simply be in the dark, IMO. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
