Hi Frank, After reviewing the request of Comodo and receiving sufficient answers from Robin Alden (of Comodo) concerning the inclusion and update request of the various Comodo CA roots currently under discussion and after hearing (and replying to) the arguments you posted as well, I would like to inform that I remain opposed to your opinion (as I understand it) based on my knowledge and understanding.
I object to the inclusion of the Comodo CA roots (as this is a general review as mentioned in the bug) on the grounds that the current implementations as outlined in the various CP/CPS documents of Comodo pose a risk to Mozilla and its users as relying parties. In particular I object adding any CA root which issues domain validated certificate with validities of ten years. The possible attack vectors (MITM) are clearly real and pose a risk to any relying party, as explained in my other posts on that matter. Additionally I suggest to review our standing (of the Mozilla CA policy) what wild card certificates concerns. The implementations of Comodo pose in my opinion a possible risk to relying parties, specially in respect of possible phishing attempts and other fraud. I also suggest to consult with other experts in this field and with the legal department of Mozilla concerning CA root certificates of which the organization to which the root was issued as stopped its operations and/or deceased to exist altogether. This includes also getting advice concerning CA roots of which the details within the certificates are not correct and true anymore. I suggest to work with Comodo to solve this issues in a joint effort and under the mutual understanding from both sides to provide reasonable secure digital certification to Mozilla and other relying parties. *********** This was the official statement, now the less official part: Should my objection be ignored (which is your perfect right), I'll do my utmost and by any relevant means at my disposal to reverse such a decision. As an operator of a certification authority it's my responsibility to prevent de-valuation of our own efforts and possible de-valuation of this industry at large. As a member of the Mozilla community it's my responsibility to contribute my knowledge and effort, in order to keep NSS and the various Mozilla software a tool upon which its users can rely on and with that further improving the use of the Internet at large. I've found, in the unique way Mozilla as a foundation and a community project operates, a vehicle where I can directly influence and contribute to the efforts of both the company I work for and to Mozilla. Personally I believe in my mission and intend to make fully use of the opportunity offered to me by Mozilla. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
