Frank Hecker wrote, On 2008-06-20 17:26: > As promised, here is an update on where things stand with regard to > DigiNotar and Entrust. (Since a lot of this is based on information I > got from Nelson, he's invited to point out where I got things wrong.) > > First, a recap for those who've forgotten:
[snip] > So the bottom line is that there are still unanswered questions, and I'm > going to spend some more time trying to get them answered if I can. Frank, I think your recap of the situation is correct. The Diginotar email situation is an issue today, regardless of whether or not a Diginotar root CA cert is added to the trusted root list. It came to our attention during the course of evaluating Diginotar's request to have their root included, but it exists regardless of the outcome of that request. I am confident that removing the email trust flag from the Entrust root that cross certified the Diginotar root key would effectively stop certs issued by Diginotar from being treated as valid email certs. This is the only method in which I am confident, today. We have entertained the idea that NSS could actively distrust an intermediate CA cert for a certain usage (such as email), even if its issuer was trusted for that usage. But today I am NOT confident that any presently-released version of NSS correctly and effectively implements that active distrust. (I could test that in a day or two if I had an appropriate and relevant cert chain with which to test.) I agree with others who have expressed the idea that Mozilla really should get Entrust to step in and address this problem. If, at some point, they revoke their old cross cert, and Mozilla products continue to honor the revoked cert because of revocation deficiencies in NSS, then that would be a problem on our shoulders, but I do not think our first action should be one that presumes that Entrust will not do that, nor should it be one that relieves Entrust of any obligation or motivation to take that action. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
