> Robin, I have a request to make. Lets put aside for a minute the > procedural matters and let me ask you a few questions: > > - We are not seeking to cause any harm to Comodo or unilaterally remove > the roots from NSS. However can we seek the cooperation on the issues > which were raised and is Comodo willing to address this issues in good > faith? [Robin said...] We are willing to address issues which are of concern to Mozilla, provided that the same standard applies at the same time to all CAs.
> > - Apparently you agree that the major issues we've raised, indeed pose > a > higher risk to the relying parties. Can we work together in order to > improve your products to the extend that both sides can live with it > and > based on reasonable terms? This would improve the overall quality of > all > certificates issued by CAs which are included in NSS, which would > result > in further strengthening of digital certification in general and in > Mozilla software in particular. It would improve also your standing in > this industry! [Robin said...] I didn't agree that any of the issues you raised were major ones. I do agree that there are a variety of levels of risk provided by the product ranges we have discussed. We are keen that levels of risk are reduced across the industry and we are always happy to talk about how that can be achieved. I do not see how the withdrawal or modification of some of our products in isolation accomplishes that overall reduction in risk. Amend your policy so that it fully expresses your requirements and then apply that policy to all CAs. > - Any conclusions through this process and any update to the Mozilla CA > policy would be evenly applied upon all CAs included in NSS. [Robin said...] Excellent. > Additionally, other software vendors, most notably Microsoft could > adopt > them as well, resulting in a major improvement of our industry. Under > this condition, would you be willing to seriously address the issues, > make and amend changes to your CPS and implement the changes at your > CA? [Robin said...] As I mentioned before, we are commercially obliged to have our root CAs present in the major browser and OS platforms. In the absence of other authority it is those browsers and OS platforms that set the standards we have to follow. Since no single browser has the entire market cornered we are obliged to meet the union of all of the standards set by all of the browsers. We are prepared to comply with Mozilla's CA Policy. We are prepared to enter into and assist with discussions with Mozilla about changes they may wish to make to their policy. We are also prepared to do the same with any other commercially important Browsers and OS platforms. > > > The issues which should be addressed are certificates with a longer > validity and domain validated wild card certificates. I would like to > make the following suggestions, that > > - domain validated certificates which are valid for more than 24 month, > must be re-validated every year thereafter (starting after 24 month). > Should revalidation fail, the certificate shall be suspended until the > subscriber has done so successfully or revoked. This would leave your > product intact and you could continue to issue them as you do today, > however would introduce additional validations during the life time of > the certificate. > > - domain validated wild card certificates would undergo an additional > identity validation. The certificates content itself doesn't have to be > changed compared to what you do today (if you prefer), but you would > guaranty through your CPS that you perform this additional validation. > > > Are these suggestions reasonable in your point of view and would this > be > acceptable to the management of Comodo? Could Comodo commit and agree > to > such an implementation, provided that this will be evenly applied upon > all CAs currently in NSS? If not, can you please provide an > alternative, > solving the issues at hand and explain what Comodo would be willing to > implement instead? > [Robin said...] I'm not the first guy you need to get to agree that your suggestions are reasonable. Mozilla should amend its CA policy if it believes there is something that it does not currently address and then apply that new policy to all CAs. The proscription of SSL products, or of details of their implementation, is something that should reasonably be discussed collectively with the CAs and the browsers. Can I suggest that the CAB Forum would be one place in which the matter could usefully be discussed? Mozilla is already able to propose such matters for discussion there through Jonathan Nightingale. Regards Robin Alden Comodo CA Limited _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
