Nelson B Bolyard: > I am confident that removing the email trust flag from the Entrust root > that cross certified the Diginotar root key would effectively stop certs > issued by Diginotar from being treated as valid email certs. This is the > only method in which I am confident, today. > > We have entertained the idea that NSS could actively distrust an > intermediate CA cert for a certain usage (such as email), even if its > issuer was trusted for that usage. But today I am NOT confident that any > presently-released version of NSS correctly and effectively implements > that active distrust. (I could test that in a day or two if I had an > appropriate and relevant cert chain with which to test.) > > I agree with others who have expressed the idea that Mozilla really should > get Entrust to step in and address this problem. If, at some point, they > revoke their old cross cert, and Mozilla products continue to honor the > revoked cert because of revocation deficiencies in NSS, then that would > be a problem on our shoulders, but I do not think our first action should > be one that presumes that Entrust will not do that, nor should it be one > that relieves Entrust of any obligation or motivation to take that action. >
Another question is, what happens if the cross-signed certificate is revoked AND NSS recognizes the revocation. Would this effectively have the DigiNotar root show up as revoked? Not sure what will happen but it's a possibility and something we most likely don't want after all. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
