You seem to misunderstand the reason there's friction here. (I do understand your reasoning -- there are a lot of active certificates in active use under that root, and you would like to see Thunderbird support them.)
However: Over the past several years, the process for getting CAs approved has been very slow, and it has been one of our less well-stated goals to not have to go through a long, unpaid(!) public comment period for something which will only have a limited period of utility (in this case, 20 months at best). We've many requests in the CA queue, as you're undoubtedly aware; we're trying to chug through them as quickly as we can, but we really want not to have to revisit or take action on these non-EV issues issues for ideally at least 5 years. As a compromise, I think that if this usage is compatible with your the Universal root's CPS, you could cross-certify TC TrustCenter Class 1 CA with your Universal root with an explicit end-date of 01/01/2011. We might then be able to include that cross-certificate in the store without having to evaluate the trust bits for it explicitly, instead simply including it as a convenience and letting its trust inherit from the Universal root that you are attempting to get included and trusted. (Since CAs are identified by name, and authenticated by the signature on their certificate, a version that's untrusted will be overridden by a version that is trusted -- unless your client certificates have AKIDs in the OpenSSL overspecified format.) Now, I can't speak to this directly; it would require approval from Frank to do, since it's something of a departure from the normal policy. -Kyle H 2009/3/18 Rolf Lindemann <lindem...@trustcenter.de>: > Hi, > >>http://www.mozilla.org/projects/security/certs/pending/#TC%20TrustCenter >>the first entry refers to a root (TC TrustCenter Class 1 CA) >>with a key size of 1024 bit and which expires at the 2011-01-01. I think >>it's unreasonable to expect to have this root considered for inclusion >>and this was the root I was referring to. >> > The "TC Class 1 CA" root certificate will be phased out until end of 2010. > There are a large number of certificates chained to that root which are > being used for secure email. > So I think there is value for Thunderbird to have that root pre-installed. > > Best regards, > Rolf > > -- > Dr. Rolf Lindemann > Director Product Management > TC TrustCenter GmbH > Sonninstrasse 24-28, 20097 Hamburg > Office: +49 40 808026-300 > Fax: +49 40 808026-126 > Email: lindem...@trustcenter.de > www.trustcenter.de > > Geschaeftsfuehrung/Managing Directors: Robert Steinkrauss, Dr. Sabine > Kockskaemper > AG Hamburg, HRB 96168 > > This email may contain confidential and privileged material for the sole > use of the intended recipient. Any review or distribution by others is > strictly prohibited. If you are not the intended recipient please > contact the sender and delete all copies. > > > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
