On 6/20/2008 5:44 PM, Eddy Nigg wrote [in part]: > > This boils down to either of the two other options. If NSS isn't able to > choose the DigiNotar root or treat the cross-signed certificate as > revoked, than the email bit of Entrust should be set to off until the > issue is solved in a different way. Incidentally Entrust failed to make > sure that certificates signed by them adhere to their own policies > (assuming that they themselves validate email addresses - don't remember > now from memory) or that of the Mozilla CA policy.
Has the failure by Entrust to enforce its policies against DigiNotar been brought to the attention of Entrust's auditors? I think it should. If the auditors then decline to make it an issue, all other audits by that firm should be questioned. The issue should then be elevated to the Webtrust organization. I know that the cycle of audits, reports, etc is lengthy (at least a year), this "whistle blowing" would be an appropriate action. Of course, it should not be the only action. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
