On 01/12/2009 03:07 PM, Rob Stradling:
Eddy, I agree that the Potentially Problematic Practices wiki page is a useful
resource during the "information gathering period" that happens *before* a
Root Certificate is ever accepted by Mozilla.
But (reading back a few messages in this thread), the context of this
discussion is Paul's proposal of a "retroactive change to its (Mozilla's)
acceptance policy in the pile" in order to curtail the use of MD5 by CAs who
have *already* been accepted by Mozilla.
Are you saying that Mozilla could change the Potentially Problematic Practices
wiki page, and then use "non-compliance" to anything on that page as grounds
for pulling a previously approved Root Certificate from the trust pile?
In theory yes, however there is a way doing these kind of things. First
of all it really depends on the issue itself and the risks involved. If
there is an issue which warrants for such a measure, CAs must be updated
and given time to adjust. How much time is reasonable in this respect
depends - again on the risk, potential implementation difficulties and
perhaps how many CAs might be affected from such a measure.
Again, the Mozilla CA Policy allows for such measures at any time and
there is no expressed or implied statement which requires Mozilla to
make a certain issue policy first. For example, if MD5 would completly
break SSL/TLS, than such a measure could be reasonable. But than in this
case it's better dealt with in the software itself. At least that's how
I interpret the policy.
Other issues affecting only a specific CA will be most likely dealt with
the CA directly, that's my understanding how Frank handles it.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
