The inclusion of DigiNotar is raising more issues, which I think is very
good for us.
In comment https://bugzilla.mozilla.org/show_bug.cgi?id=431621#c5 the
representative of DigiNotar (Kick) notes that their CA root has been
cross-signed by Entrust. Now this effectively circumvented our policy in
case of DigiNotar.
Additionally as previously noted, Kick raised also other issues
concerning the Staat der Nederlanden CA. By coincident somebody else
from the Netherlands made me aware of a poor trust relationship between
the citizens of the Netherland and this CA, beyond possible flaws in
their issuing requirements and procedures.
As I understand, until the release of FF3 no new CAs will be included
and approved. I suggest that we invest our time to bring our house
somewhat in order before we continue. I would like to put the following
points to the agenda:
1.) Urgent review of the Staat der Netherlanden CA.
2.) Urgent review of the Entrust CA (and look into possible
cross-signing schemes which circumvent the Mozilla CA policy).
3.) Discussion and upgrade/new definitions of the Mozilla CA policy and
points which have been raised previously at the mailing list and on the
wiki.
4.) Introduction of a management utility for better and more efficient
handling of current CAs (reviews, EV status, yearly audit reports),
proposed CAs for inclusion, future CA inclusion requests and removal of
CAs.
5.) Review and discussion about the current inclusion and review process
for CAs (one person decision).
Frank, could we work out a plan and time frame for the points above? Are
there other issues which should be added? Other suggestions, objections?
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
