Nukeador wrote, On 2008-05-21 14:59:
> Eddy Nigg (StartCom Ltd.) escribió:
>> Apparently yes! From
>> http://wiki.mozilla.org/CA:Root_Certificate_Requests see the lower
>> section. I suggest that the representative of the CA starts a new bug
>> according to the instructions of this page:

> Ok, I'm contacting now with Cristina Acedo, who is from the FNMT, and
> giving her the details to open a bug herself with the information inside
> that particular template.

I would say that a new bug is not necessary.   What *IS* necessary is
direct communication between an official CA representative and Mozilla
through the bug system, and that all the information requested be provided.
 Any information upon which Mozilla will rely in performing its evaluation
must not come through a third party.

If using the English language presents a problem, the I would suggest that
the CA representative delegate this responsibility to some other CA
employee or officer who can act as an official CA representative.

To put the FNMT request in perspective:

FNMT is one of a small number of official CAs for parts of Spain.
According to a presentation about this subject made by izenpe earlier
this week,
for Catelonia, there is Catcert,
for Comunidad de Valencia, there is ACCV,
for the Basque regions, there is izenpe,
and for the rest of Spain, there are
FNMT, CameraFirma, ipsCA, FirmaProfesional, and "Notaries"
(I may have erred in that last transcription).

FNMT issues smart cards with certificates on them to individuals, as does
izenpe for its region.  The presentation says that FNMT's dni-e serves a
population of 44.7 million and izenpe serves a population of 2.13 million.
I believe those numbers are the numbers of individuals who are eligible to
receive smart cards with certs and private keys.

It should not be necessary for those CA certs to be included and trusted in
Mozilla for those individuals' certs to be usable for SSL client
authentication in Firefox.  IMO, the principal reason for Mozilla to
include a root CA cert is for that cert to issue SSL server certs, and/or
code signing certs.  I don't think we have any numbers for how many of
such certs are issued by those CAs.  The number of server certs may not be
proportional to the number of individuals eligible to receive smart cards.

Of the CAs named above, these are already in NSS's built-in root CA list:
- AC Camerafirma SA CIF
  - Chambers of Commerce Root
  - Global Chambersign Root
- Autoridad de Certificacion Firmaprofesional CIF
- IPS Internet Publishing Services s.l.  (6 roots)
- IPS Seguridad CA (1 root)

There are presently 5 open CA cert inclusion requests for CAs in Spain.
number    opened     ----------------- summary ---------------------
261778   2004-09-27  Add Camerfirma CA certificate
274100   2004-12-10  Add ACCV CA certificate (confirmed complete)
295474   2005-05-25  Add CATCert root CA certificate
361957   2006-11-27  Add Izenpe CA EV root certificate (incomplete)
408008   2007-12-11  Add FNMT Root CA cert for SSL

Personal opinion: while I accept that FNMT may serve the largest number
of subscribers, their request is the most recent, and they did not even
make the request themselves.  There are two requests that are 3+ years
older than theirs, one of which is confirmed complete.  I think Mozilla
Foundation should make some attempt to honor those CAs who were diligent
and timely in making their requests, and not displace them for an
additional indefinite time to give preference to a larger CA.

/Nelson
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to