Wowowow, slowly! Nelson, I didn't meant to attack you in any way. I apologize if this what you understood from my previous post!
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 Nelson Bolyard: > Eddy Nigg (StartCom Ltd.) wrote, On 2008-03-05 11:01: > > >> Second I wonder what's the deal with Thawte's and GeoTrust's inclusion >> requests. As Gerv mentioned yesterday, there are about 40 others in the >> queue, why do they get a preferential treatment? Others wait for half a >> year and more just to get to this stage? I saw the entries in the bugs >> from Nelson pushing for their inclusion... >> > > Eddy, I haven't pushed for the inclusion of any CA or any CA cert. > Let me tell you what I have done for the CA request queue this week. > > Recently, I received emails from representatives of a number of CAs, > all asking "what is the status of our CA cert request?" I looked at > their bugs in bugzilla, and for some of them, I myself could not figure > it out from the information in the bug reports. Then I went and looked > at the "pending" page, > http://www.mozilla.org/projects/security/certs/pending/index.xml > And saw lots of color coded information there. Personally, I found the > particular presentation on that page to be difficult to quickly grasp. > > I wanted, but did not find, a summary table. So I made one, using bugzilla. > I took the status information in the pending page and updated the > individual bugzilla bugs with it. For every CA listed on the pending page > whose request bug is still open, I updated it with the status from the > pending page. I also changed the bug summaries of (nearly all) those bugs > to have a similar concise syntax, so one can see at a glance which CA is > the subject of the bug, and whether the request is for EV, or not. > This had several immediate effects. > > 1) When I look at the bugzilla bug list of open root CA requests, at > >> https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&product=mozilla.org&component=CA+Certificates&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_severity=enhancement&chfieldfrom=2004-04-01&chfieldto=Now&chfield=%5BBug+creation%5D&cmdtype=doit >> > > I now immediately see the status information of every bug. To do that, > I view these columns: ID, (Date) Opened, Whiteboard, Full Summary. > The whiteboard column now shows the status info. I can now easily see > that 18 of the 42 open requests have no status information because they > are NOT yet listed on the pending page. > > 2) I noticed that quite a few CAs listed on the Pending page have had > their requests completely resolved, either by having their certs included, > or by being rejected. I would like to see the entries for the CAs that > are now included moved from the pending page to the "included" page, > http://www.mozilla.org/projects/security/certs/included/index.xml > and I'd like to see another new page that lists the negatively resolved > requests. > > 3) It had the predictable effect of causing a number of those CAs to respond > saying (in effect) "Oh, our application is incomplete? What are > we missing?" IMO, that was useful to get the process moving for them > again. > > 4) It also had the effect of causing Frank to notice that some of that info > was out of date, and so there were some immediate updates to the Pending > page. I then carried those updates to the bugzilla bugs. > > 5) I think there are still some discrepancies. For example, the Pending > page says that bug 335197 "Add KISA root CA Certificate" is in "public > discussion" state, but after studying the bug, I conclude that it is NOT > yet in that state. Frank's most recent comment suggests he has more > review to do on it. I think the "Information Probably Complete" state > is more accurate for that request. > > In any case, none of this work was "pushing" any particular CAs for > inclusion. My motivation was enable anyone to see, at a glance, what > stage each request is in, and which requests have gotten an initial > examination and which ones have not, and thereby make it easier to > differentiate certs that are truly in process from those that are not. > > Apart from this "book keeping" task that I have done, I have no more > control over the request evaluation process than you do. > > >> I understand the need for FF3 to support as many EV enabled roots as >> possible, it simply doesn't look good! And what would happen if these >> roots would be included and published during one of the next updates of >> FF3? Would there be really such a de-valuation of FF3 if they'd have to >> wait a little? >> > > As an observer of the process, here's what I think (opine, speculate) is > going on. > > I think it's safe to say that the backlog of root CA requests will not > have been entirely cleared by the time FF3 ships. So, some sort of > ordering or prioritization of those requests seems logical. One possible > order is First-In-First-Out, and that obviously isn't the order being used. > > I think Mozilla desires to maximize the number of issued certs that will be > recognized as valid by FF3 when it ships, in order to minimize the number > of complaints from FF3 users about their favorite site's certs being > unrecognized. I think that has led to an approximate ordering of the > requests from biggest (most certs issued) to smallest (least certs issued), > and from requests that take the least time to evaluate to those that take > the most time to evaluate. > > It appears to me that each request to add a new cert (or certs) for a CA > whose certs are not already in the list takes roughly the same amount of > time to evaluate, whether that CA serves tens of certs or thousands of > certs. It appears to me that the requests to give EV approval to certs > already in FF's root list takes much less time to evaluate than requests > for certs not yet included in the list. So, it wouldn't surprise me at > all to see that priority is given to the requests for upgrading certs that > are already in the list. > > Those are my observations and educated (?) guesses. > > For those CAs' requests that have reached the "Information Confirmed > Complete" state, I would like to see them be processed in more-or-less > FIFO order from the time at which they reach that state. But I am > sympathetic to the desire to maximize the number of certs that will work > for FF3 users. > > >> Are the suspicions and rants on this mailing list by some participants >> justified then? I'm always pointing out and praising in the public about >> the professional, transparent, clean and fair process a CA undergoes for >> inclusion at Mozilla. I wouldn't know what to say to somebody >> complaining about this one... >> > > If I'm right that Mozilla has chosen to order the requests in decreasing > order by number of certs issued (or equivalently, https server market share) > I think it would be good for Mozilla to publish that fact. I believe that > it is always wise to set people's expectations in line with the most likely > outcomes. Better they should know what to expect than simply be in the > dark, IMO. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
