On Monday 12 January 2009 20:28:25 Eddy Nigg wrote: > On 01/12/2009 09:20 PM, Paul Hoffman: > > No, because it is not true. What is true is that signing with MD5 is now > > considered to be insecure, and what Mozilla will do about it. > > > >> Should every possible algorithm be listed there too? > > > > Probably, yes. That is, every allowed signing algorithm should be listed; > > we obviously don't need a list of the non-allowed algorithms. > > > >> Does your CA policy and practice statements list any algorithm you don't > >> intend to use for the same reasons? > > > > We should not be relying on CA's CPSs: we should be relying on our own > > view of what is good-enough security. > > This was a question directed to Rob, not Mozilla :-)
Eddy, I do think that the Mozilla CA Certificate Policy should cover *all* "actual" problematic practices. In this particular case, I think that a blacklist of unsupported/non-allowed/not-recommended algorithms and/or a whitelist of supported/allowed/recommended algorithms would be very useful information for the CAs. If Mozilla ever does decide to pull a CA's Root for whatever reason, wouldn't it be so much better if Mozilla could say to them... "CA X, you have no excuse. You have clearly violated clause N of version Y.Z of the Mozilla CA Certificate Policy, which you had previously agreed to adhere to" ...rather than... "CA X, you took your eyes off the ball. You really should have been following all of the discussions on mozilla.dev.tech.crypto more closely and assuming that any opinion expressed might become Mozilla's official policy at any moment. And you really should have assumed that violating any 'potentially problematic practice' could give us cause to pull your Root at any time" ? To put it simply: I would really like Mozilla's expectations of the CAs to be, on an ongoing basis, 100% clear. > >> Or supposed Mozilla deems certain practices in relation to RAs and/or > >> intermediate CAs an unnecessary risk and problematic, does this have to > >> be explicitly stated in the Mozilla CA Policy? > > > > Yes. > > > >> If yes, what else must be stated there or is the intend of the policy > >> clear enough? > > > > Everything that we know that some CAs might do wrong that is not > > acceptable to Mozilla should be listed there. As we discover new > > categories (in this case, "uses unsafe algorithm"), it should be added. > > That list is not going to be long, but it *will* be valuable. > > OK, I'm not sure if this is/was the intention of Frank and the > objectives of the Mozilla CA Policy. > > Nevertheless I suggest to start the work for a possible change to the > policy in order to address those issues now. Changes have been made to > the policy within relative short time in order to address EV, it's > entirely possible to get it accomplished with reasonable effort and > useful time-frame. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
