On 01/12/2009 09:20 PM, Paul Hoffman:
No, because it is not true. What is true is that signing with MD5 is now
considered to be insecure, and what Mozilla will do about it.
Should every possible algorithm be listed there too?
Probably, yes. That is, every allowed signing algorithm should be listed; we
obviously don't need a list of the non-allowed algorithms.
Does your CA policy and practice statements list any algorithm you don't intend
to use for the same reasons?
We should not be relying on CA's CPSs: we should be relying on our own view of
what is good-enough security.
This was a question directed to Rob, not Mozilla :-)
Or supposed Mozilla deems certain practices in relation to RAs and/or
intermediate CAs an unnecessary risk and problematic, does this have to be
explicitly stated in the Mozilla CA Policy?
Yes.
If yes, what else must be stated there or is the intend of the policy clear
enough?
Everything that we know that some CAs might do wrong that is not acceptable to Mozilla
should be listed there. As we discover new categories (in this case, "uses unsafe
algorithm"), it should be added. That list is not going to be long, but it *will* be
valuable.
OK, I'm not sure if this is/was the intention of Frank and the
objectives of the Mozilla CA Policy.
Nevertheless I suggest to start the work for a possible change to the
policy in order to address those issues now. Changes have been made to
the policy within relative short time in order to address EV, it's
entirely possible to get it accomplished with reasonable effort and
useful time-frame.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
