Frank Hecker: > As promised, here is an update on where things stand with regard to > DigiNotar and Entrust.
Thanks for the follow up, Frank! > > 1. Get DigiNotar to improve its practices with regard to certificates > that contain email addresses and could be used for S/MIME email. This is > my preferred solution, but DigiNotar hasn't yet committed to do this. I'd really also like to see this happening, which makes sense the most. But during discussions with DigiNotar it appeared that having the email bit off wasn't a good enough incentive to start to validate the email address for certificates they issue and hence I don't expect that from happening. > > 2. Modify NSS to turn off the email trust bit associated with the > Entrust.net Secure Server Certification Authority root. This is my > least-preferred option, as it would disable recognition of all > Entrust-issued email certs and all email certs issued by other CAs whose > roots have been cross-signed by Entrust. (This includes a number of > other CAs that have their roots in Mozilla with the email trust bit > enabled. Unfortunately as I understand it we'd have the same problem > with them as with DigiNotar: NSS path processing would ignore the other > CAs' included roots and their trust bits, go up the chain, and take > email trust from the Entrust root.) In my judgement the potential > security threat in this case is not high enough to justify such a > drastic action. > > 3. Find some other way to get NSS not to recognize DigiNotar certs for > email, perhaps in combination with some action by Entrust and/or > DigiNotar. For example, one idea is to have end users of DigiNotar certs > reconfigure their email clients to have cert chains that terminate in > the DigiNotar Root CA root; unfortunately that's not really workable IMO > (since every cert holder would have to do this). Another idea is to have > Entrust revoke the DigiNotar Root CA intermediate cert; however as I > understand it that would have no effect whatsoever, as NSS doesn't check > for revocation of CA certs (except in the EV case). There's perhaps a > possibility that adding the DigiNotar Root CA intermediate cert to the > preloaded cert list would help, but that's unclear at this point given > the current state of NSS. > This boils down to either of the two other options. If NSS isn't able to choose the DigiNotar root or treat the cross-signed certificate as revoked, than the email bit of Entrust should be set to off until the issue is solved in a different way. Incidentally Entrust failed to make sure that certificates signed by them adhere to their own policies (assuming that they themselves validate email addresses - don't remember now from memory) or that of the Mozilla CA policy. *** Which leads me to suggest once again that CAs should sign an agreement and/or acknowledgment of the Mozilla CA policy as a binding document. Acceptance into NSS should imply adherence to the requirements of Mozilla and nothing less than that *** -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
