Frank Hecker:
DigiNotar is not alone in having a root cross-signed by Entrust;
No, of course not. However in this specific case we have facts which
require additional actions (such as reviewing the situation, evaluation
thereof and eventual consequences).
this
was apparently fairly common practice among new CAs trying to get
recognized in browsers. This issue will take a while to sort out I
think. I don't know exactly how widespread this practice was/is, and I
think there are also some technical issues in NSS regarding
certificate path processing that may affect this.
Well, if there is an issue which becomes widespread and would negatively
affect NSS and our policy, we'll have to decide what to do. Currently I
suggest that we learn from the Entrust case and see how to evaluate the
next steps.
As I understand, until the release of FF3 no new CAs will be included and
approved.
That is half true. I will still consider CA applications during the
time between now and Firefox 3 launch, and if appropriate I will
approve new CAs for inclusion and file the necessary bugs against NSS
and (for EV) PSM. However as a practical matter I think any new CAs
approved past today will not appear in Firefox until the 3.0.0.1
update release (at the earliest).
OK, understand the intention.
I agree that this would be a useful time to do some housekeeping work.
OK, I think we should think about the priorities and its implications. I
think too, that this would be a good time to make a break from inclusion
requests and invest our time for issues I've raised (and others of course).
Frank, could we work out a plan and time frame for the points above? Are
there other issues which should be added? Other suggestions, objections?
Besides the points you mentioned, here are some things I think need to be done:
6) Make sure that bugs have been properly filed for all known CA requests.
7) Make sure that all bugs forCAs have a correct status. (For example,
mark bugs as RESOLVED FIXED where appropriate).
8) Make sure the "included" page on www.mozilla.org is revised to
reflect all new CAs approved for inclusion as of now.
9) Make sure the "pending" page on www.mozilla.org has an entry
(possibly very minimal) for all CA requests for which bugs have been
filed.
I think up to here it will depend a lot if you are in favor of the
management utility I suggested. I think that some/most of the issues you
mentioned could be solved with it once it's ready. Certainly the various
pages, but also the bugs. I'm looking forward in a decision by the
Mozilla Foundation and have a formal request for it. Once I do I'll I'm
going to consult with you (and others) and start its implementation.
10) Find a person or persons to help with basic information gathering
on CAs. (This is somewhat different from your point about the overall
CA decision process).
Also here, it would be certainly good to get some help if possible,
however the utility would/should help you save some time which you
could invest otherwise. The utility would start to structure also the
very issue you mentioned above (about the basic infos of the CA).
The items above are actually my highest priority right now. I think we
need to have correct information for where we are right now before
trying to start major new projects like CA management tools.
Well, I see it exactly the other way around. I expect to have the
utility fully operational in one to two month, solving a lot from the
above. But of course you can continue to invest a lot of time now with
everything above and wait with the tool that will make it all easier...I
have quite some knowledge with such tools and automation of tasks, so I
see the needed investment a one-time effort which pays itself quickly.
Supposed we'd go ahead with it, I'd suggest that in the meantime you'd
invest some time in changes for the Mozilla policy. The points above
will solve itself once the utility is ready. I guess I'd also hire
somebody to populate the DB with existing CAs and their information.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
