> Eddy Nigg (StartCom Ltd.) wrote: > > Robin, just to answer this one... > > > > Robin Alden: > >> [Robin said...] A fair point, and perhaps that is a whole other > >> problem. Our CA *does* have > >> roots in NSS. > >> > > > > This is correct. However your CA roots are considered legacy roots > which > > were inherited from the Netscape era. Many critics have rightly > pointed > > to the fact, that these legacy roots never underwent a review nor > proper > > inclusion process. This is the reason why Frank made your request for > > upgrade conditional and a general inclusion request as if this were > new > > roots. Your CA doesn't enjoy immunity because you have these legacy > > roots in NSS, nor does any other CA have that privilege, no matter if > > legacy or not. > > I don't have time to respond to each and every point in this whole > discussion, but I did want to respond to this one. As Eddy notes, we > have a lot of roots in Mozilla that were inherited from the old > Netscape > days. We now have a formal policy by which we evaluate requests from > new > CAs, including new CAs issuing EV certs, and I thought it was unfair to > evaluate only new CAs and forever exempt old CAs from similar scrutiny. > > Thus as the opportunity arises I've been trying to go back and look at > old roots. Requests by various CAs to enable old roots for EV use > presented just such an opportunity to not just look at the EV-related > aspects of the CAs but also to review how other aspects of the CAs > stacked up vis-a-vis our CA policy, and let people in the Mozilla > community (which means potentially anyone) to make comments and > suggestions relating to particular CA requests. This is just the way we > work; we're not Microsoft or Apple, we're a public project and we have > public processes. > > Doing such reviews and allowing such comments does not imply that I'm > going to be pulling old roots out of NSS and Firefox. It also does not > imply that I'm going to hold up EV-related requests until CAs address > all comments and adopt all suggestions, or until we decide whether our > policy needs revising and how to revise. This is particularly true > where > the issues involve CA practices related to non-EV certs, since those > issues will not be affected one way or another by our enabling CAs for > EV. [Robin said...] Thanks. That clarification is a big help.
> > However I think it's perfectly reasonable for us (Mozilla in general) > to > formally call out CA practices that may not be explicitly addressed by > our policy, and that may not affect my decisions under the policy, but > that we consider to be problematic in one way or another, and to > publicly encourage CAs to modify them in various suggested ways. [Robin said...] Fair enough. We welcome open discussions about these things, as I hope I have demonstrated. > Issuing > long-lived DV certs and wildcard DV certs may be particular practices > worth our having some formal positions on, even if they're not > addressed > by our official policy. [Robin said...] There I have to disagree to some degree. You have a policy which tells us what we must do to qualify for root inclusion. Are you saying that you have some other things which aren't in the policy which we must do too? We'd really rather they were included in your policy - even if your policy just refers out to them. A policy needs to be something I can examine as a whole, not something that reveals - like a fractal - more complexity and detail every time I probe it. Regards Robin Alden Comodo CA Limited _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
