Hi Michael,
Michael Ströder wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>> The issuing CA of a root certificate is *supposed* to be responsible for
>> its sub CAs naturally, however as a user of Mozilla software I want to
>> be *assured*, that this is indeed the case.
>>
>
> There is no way t
Eddy Nigg (StartCom Ltd.) wrote:
> [EMAIL PROTECTED] wrote:
>> 1. The Root is responsible for certs issued by a Sub-CA and are
>> included in the Root's WebTrust audit.
>
> The issuing CA of a root certificate is *supposed* to be responsible for
> its sub CAs naturally, however as a user of Mozi
Michael Ströder wrote:
>
> From project experience I can confirm that it's exactly like what Kyle
> suspects. I won't mention names but bringing your CA certs into MS IE
> and the Mozilla products is simply a cash cow. Nothing else. In the
> cases I know no audits were conducted on sub-CAs by t
Eddy Nigg (StartCom Ltd.) wrote:
> Which raises at least with me the question, if this is indeed what was
> envisioned when Mozilla decided to endorse EV as a better PKI model. Or
> are people like Kyle perhaps rightfully thinking that he's being cheated
> on by some CAs? I'm quoting a recent st
David E. Ross wrote:
>
> Bug 413375 deals primarily (if not entirely) with certificates that have
> technical flaws. The concern that is the basis of this thread is
> certificates whose CAs are behaving inappropriately. Either bug 413375
> should be updated (including the summary) to expand its s
On 2/13/2008 12:03 PM, Eddy Nigg (StartCom Ltd.) wrote [in part]:
> I previously wrote [also in part]:
>> In the existing policy, I see only brief mention of removing a
>> previously approved root certificate (the phrase "to discontinue
>> including a particular CA certificate in our products" in t
David E. Ross wrote:
> In the existing policy, I see only brief mention of removing a
> previously approved root certificate (the phrase "to discontinue
> including a particular CA certificate in our products" in the first
> sentence of Section 4). I think we need to expand upon that issue.
>
> Ex
On 2/12/2008 7:37 PM, Eddy Nigg (StartCom Ltd.) wrote:
> Below my suggestions concerning a policy update or guidelines for CAs
> which issue or have already external sub-ordinated CAs. This could be
> also an extension to the Mozilla policy. Here is my initial take:
>
> Plain CAs:
>
> - Obligat
[EMAIL PROTECTED] wrote:
> Maintenance of the WebTrust seal requires an annual audit.
Obtaining the WebTrust seal is optional. Not to speak about that Mozilla
accepts auditors not accredited by the WebTrust organization. Hence
there is no re-auditing requirement right now.
> The audit
> is o
Maintenance of the WebTrust seal requires an annual audit. The audit
is of compliance with the CPS - so if there are issuing CAs - whether
internal or external - covered by the CPS, then they part of those
procedures.
The same is not true of ETSI - which is a standard not really an audit
regime.
Below my suggestions concerning a policy update or guidelines for CAs
which issue or have already external sub-ordinated CAs. This could be
also an extension to the Mozilla policy. Here is my initial take:
Plain CAs:
- Obligations and requirements of intermediate CAs shall be clearly
defined a
Eddy Nigg (StartCom Ltd.) wrote:
>
> I guess this time you are wrong :-)
>
>
Frank, I'm reading it again and againmaybe you are right :-)
Maybe not...but maybe somebody can tell us what its meant to be,
preferable either the Forum or a CA which has external sub CAs which
issue EV (Verisign?)
Frank Hecker wrote:
Eddy Nigg (StartCom Ltd.) wrote:
It seems to me, even so I believed that EV will change that, nothing
will change in that respect, specially the vetting of the issuing CAs.
I suggest to ask the CAB Forum directly if all sub ordinated CAs must be
explicitly audi
Eddy Nigg (StartCom Ltd.) wrote:
> It seems to me, even so I believed that EV will change that, nothing
> will change in that respect, specially the vetting of the issuing CAs.
In addition to Stephen's comments, I'll note that the EV guidelines
specifically state (section J.35.c.1 on page 47):
Kyle Hamilton wrote:
>
> What are the continuing audit requirements? ARE there any continuing
> audit requirements?
Frank has commented in a lengthly reply so I just add my two cents on
this. I believe that re-audits are generally a good thing, however I'm
not sure if MoFo is in the position t
Kyle Hamilton wrote:
> What are the continuing audit requirements? ARE there any continuing
> audit requirements? How do the audit guidelines for EV differ from
> the audit guidelines for WebTrust? And where are the audits made
> public? (Are they made public? If not, what aspects are made pub
Eddy Nigg has brought up a couple of points that I had not thought of,
and I would also point to his messages for issues to be addressed.
I cannot point to any specific roots that have "not kept up their
audits". I think this is a red herring, though. It much more telling
that "I cannot point to
It would be nice to know to whom I'm talking...
[EMAIL PROTECTED] wrote:
> 1. Audit standards (WebTrust and ETSI for example) check that the CA
> complies with its CPS - and that includes subordinates and external
> RAs
>
> >From Webtrust: "In the hierarchical model, the root CA maintains the
>
1. Audit standards (WebTrust and ETSI for example) check that the CA
complies with its CPS - and that includes subordinates and external
RAs
>From Webtrust: "In the hierarchical model, the root CA maintains the
established "community of trust" by ensuring that each entity in the
hierarchy confor
[EMAIL PROTECTED] wrote:
>> "The end result is that anyone who chooses to spend a hundred thousand
>> bucks or so on a single audit can then go around selling the benefit of
>> their inclusion in the trust list to the highest bidder without fear of
>> repercussion. Which is what they've been do
> "The end result is that anyone who chooses to spend a hundred thousand
> bucks or so on a single audit can then go around selling the benefit of
> their inclusion in the trust list to the highest bidder without fear of
> repercussion. Which is what they've been doing. And nobody has the balls
Frank Hecker wrote:
> I'm not sure what you mean by "cosmetically",
With "cosmetic" I mean that nothing prevents a CA to establish the
needed OID chain NSS will be looking for. There is (almost) no
difference between issuing an intermediate CA certificate and issuing
one with the needed OID. Th
Eddy Nigg (StartCom Ltd.) wrote, On 2008-02-10 17:33:
> Network Solutions has a server certificate issued by "Network Solutions
> EV SSL CA". Ever heard of this CA? Well, it's chained like this:
>
> "AddTrust External CA Root" from Sweden and belongs to Comodo from the
> United Kingdom ->
> "UT
Eddy Nigg (StartCom Ltd.) wrote:
> Thanks for this information. However from our (Mozilla) point of view,
> the root can sign X CA certificates able to sign EV certificates
> (directly and indirectly). The OID requirement is just cosmetically in
> respect of the capabilities once a root is marke
Frank Hecker wrote:
> So the bottom line is that if a root CA is approved for EV, its
> subordinate CAs do *not* automatically gain the ability to issue EV
> certificates. Instead the root CA has to specifically enable a given
> subordinate to be "EV-capable", by issuing it a CA certificate with
Eddy Nigg (StartCom Ltd.) wrote:
> Now, I have no clue how this is going to work and perhaps Nelson can
> give us some more informationexample: If AddTrust is going to be
> upgraded to an EV root, is any sub ordinated CA potentially an EV CA?
I haven't yet looked in detail at the Network So
Frank Hecker wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>
>> ... _I'm requesting
>> hereby and now to have thorough review of this situation and
>> reassessment_ of the Mozilla CA policy concerning everything related to
>> sub-ordinated CAs.
>>
>
> This is a good discussion to have, an
Frank Hecker wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>
>> ... _I'm requesting
>> hereby and now to have thorough review of this situation and
>> reassessment_ of the Mozilla CA policy concerning everything related to
>> sub-ordinated CAs.
>>
>
> This is a good discussion to have, an
Eddy Nigg (StartCom Ltd.) wrote:
> ... _I'm requesting
> hereby and now to have thorough review of this situation and
> reassessment_ of the Mozilla CA policy concerning everything related to
> sub-ordinated CAs.
This is a good discussion to have, and I agree that it's a timely issue.
I'd onl
29 matches
Mail list logo
