Eddy Nigg (StartCom Ltd.):
> 4.) Frank, this one is for you:
>
> Since most (if not all) CA root certificates of Comodo were inherited
> from the Netscape era and never were properly evaluated by an inclusion
> process and in light of the questions above, isn't a thorough review of
> this CA in
This is a revised version of my initial questions concerning the Comodo
inclusion and upgrade requests. I've updated the sections which received
a response from Frank and are solved from my point of view and added
some more content where deemed necessary.
1.) The audit report for non-EV operati
Frank Hecker:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> 3.) Here a few questions in relation to the LiteSSL CPS:
>>
>
>
>>* 4.1 states that the enrollment process MAY include check for
>> domain ownership. This means that the checks can be omitted?
>>
>
> I think this is ano
Frank Hecker:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> This particular part DOES bother you, because wild card certificates
>> aren't controllable in the same way as regular ones. A seemingly
>> innocent domain name can become a tool for phishing. For example
>> *.domain.com matches paypal.dom
Frank Hecker:
> Nelson Bolyard wrote:
>
>> Wow! I'd say that a CA that says "You cannot rely on our certs for
>> eCommerce" should not be trusted for SSL by default in Mozilla products!
>>
>> Of course, that's a policy issue. Frank, what do you think?
>>
>
> It is a policy issue, and we'v
Eddy Nigg (StartCom Ltd.) wrote:
> Rob Stradling:
>> For the record, I can assure you that Comodo never issue DV and EV
>> certs from the same Intermediate CA.
>>
> In that case we need to update our papers then. For example I've
> received the following comment from Frank previously concerni
Eddy Nigg (StartCom Ltd.) wrote:
> 3.) Here a few questions in relation to the LiteSSL CPS:
>* 4.1 states that the enrollment process MAY include check for
> domain ownership. This means that the checks can be omitted?
I think this is another case of sloppy CPS language. Section 4.2.7 of
Eddy Nigg (StartCom Ltd.) wrote:
> Ohoommm...it doesn't say not to rely for e-commerce, but not to rely AT
> ALL :-) It says, BECAUSE the certificates aren't meant to be for
> e-commerce parties can not rely on it - any party - for any purpose -
> do not qualify as a relying party.
After looki
Eddy Nigg (StartCom Ltd.) wrote:
> This particular part DOES bother you, because wild card certificates
> aren't controllable in the same way as regular ones. A seemingly
> innocent domain name can become a tool for phishing. For example
> *.domain.com matches paypal.domain.com and paypal-object
Nelson Bolyard wrote:
> Wow! I'd say that a CA that says "You cannot rely on our certs for
> eCommerce" should not be trusted for SSL by default in Mozilla products!
>
> Of course, that's a policy issue. Frank, what do you think?
It is a policy issue, and we've had this discussion before. My po
Eddy Nigg (StartCom Ltd.) wrote:
> 1.) Is it possible to get a list of the currently active issuing
> intermediate CA certificates of each CA root *currently* for
> consideration? It would be interesting to know which of these issue EV,
> both or non-EV.
I *think* what you're looking for is in
Frank Hecker:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> 3.) Here a few questions in relation to the LiteSSL CPS:
>>
>
> In reference to this, it's not clear to me whether Comodo still issues
> LiteSSL certificates or not. Note that the LiteSSL CPS Addendum is an
> addendum to version 2.4 of
12 matches
Mail list logo
