Re: Update on DigiNotar and Entrust

2008-06-25 Thread Eddy Nigg
David E. Ross: > Is the problem here caused (or at least compounded) by the > implementation of bug #399045? See > . > No. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org __

Re: Update on DigiNotar and Entrust

2008-06-25 Thread David E. Ross
On 6/20/2008 5:26 PM, Frank Hecker wrote: > As promised, here is an update on where things stand with regard to > DigiNotar and Entrust. (Since a lot of this is based on information I > got from Nelson, he's invited to point out where I got things wrong.) > > First, a recap for those who've forg

Re: Update on DigiNotar and Entrust

2008-06-24 Thread Eddy Nigg
Nelson B Bolyard: > Eddy Nigg wrote, On 2008-06-24 14:56: > >> Another question is, what happens if the cross-signed certificate is >> revoked AND NSS recognizes the revocation. Would this effectively have >> the DigiNotar root show up as revoked? > > It would, UNLESS any of the following were true

Re: Update on DigiNotar and Entrust

2008-06-24 Thread Nelson B Bolyard
Eddy Nigg wrote, On 2008-06-24 14:56: > Another question is, what happens if the cross-signed certificate is > revoked AND NSS recognizes the revocation. Would this effectively have > the DigiNotar root show up as revoked? It would, UNLESS any of the following were true: 1. A newer Entrust c

Re: Update on DigiNotar and Entrust

2008-06-24 Thread Eddy Nigg
Nelson B Bolyard: > I am confident that removing the email trust flag from the Entrust root > that cross certified the Diginotar root key would effectively stop certs > issued by Diginotar from being treated as valid email certs. This is the > only method in which I am confident, today. > > We hav

Re: Update on DigiNotar and Entrust

2008-06-24 Thread Nelson B Bolyard
Frank Hecker wrote, On 2008-06-20 17:26: > As promised, here is an update on where things stand with regard to > DigiNotar and Entrust. (Since a lot of this is based on information I > got from Nelson, he's invited to point out where I got things wrong.) > > First, a recap for those who've forg

Re: Update on DigiNotar and Entrust

2008-06-23 Thread Robert Relyea
Frank Hecker wrote: 3. Find some other way to get NSS not to recognize DigiNotar certs for email, perhaps in combination with some action by Entrust and/or DigiNotar. For example, one idea is to have end users of DigiNotar certs reconfigure their email clients to have cert chains that termina

Re: Update on DigiNotar and Entrust

2008-06-22 Thread Frank Hecker
Eddy Nigg wrote: > Perhaps Nelson can provide more information about the road map for CRL > fetching, but it will be soon supported by NSS. This would solve the > problem once it is. Note that there are other things besides CRL checking per se that I'd like to see in NSS. There seem to be a lot

Re: Update on DigiNotar and Entrust

2008-06-22 Thread Eddy Nigg
Frank Hecker: > For the record, Entrust understands what our concern is and has been > cooperative in trying to come up with a way to address it. However the > problem is that even if Entrust were to revoke DigiNotar's intermediate > CA certificate that would not help resolve the problem, for the r

Re: Update on DigiNotar and Entrust

2008-06-22 Thread Kyle Hamilton
This sounds rather dangerously like a security-related design and implementation failure. In fact, this sounds so much like such that if it were up to me, I'd mark this lack of functionality as 'critical/urgent' in the NSS design path and get it done before anything else. -Kyle H On Sun, Jun 22,

Re: Update on DigiNotar and Entrust

2008-06-22 Thread Frank Hecker
David E. Ross wrote: > Has the failure by Entrust to enforce its policies against DigiNotar > been brought to the attention of Entrust's auditors? I think it should. For the record, Entrust understands what our concern is and has been cooperative in trying to come up with a way to address it. Ho

Re: Update on DigiNotar and Entrust

2008-06-21 Thread David E. Ross
On 6/20/2008 5:44 PM, Eddy Nigg wrote [in part]: > > This boils down to either of the two other options. If NSS isn't able to > choose the DigiNotar root or treat the cross-signed certificate as > revoked, than the email bit of Entrust should be set to off until the > issue is solved in a diffe

Re: Update on DigiNotar and Entrust

2008-06-20 Thread Eddy Nigg
Kyle Hamilton: > I tend to disagree. > > I think that Mozilla needs to grow enough balls to boot out anyone who > doesn't continue to adhere to the standards for inclusion after > approval. The first step is to receive a firm commitment from the CA. Before kicking a CA out of NSS, Mozilla should

Re: Update on DigiNotar and Entrust

2008-06-20 Thread Kyle Hamilton
On Fri, Jun 20, 2008 at 5:44 PM, Eddy Nigg <[EMAIL PROTECTED]> wrote: > This boils down to either of the two other options. If NSS isn't able to > choose the DigiNotar root or treat the cross-signed certificate as > revoked, than the email bit of Entrust should be set to off until the > issue is so

Re: Update on DigiNotar and Entrust

2008-06-20 Thread Eddy Nigg
Frank Hecker: > As promised, here is an update on where things stand with regard to > DigiNotar and Entrust. Thanks for the follow up, Frank! > > 1. Get DigiNotar to improve its practices with regard to certificates > that contain email addresses and could be used for S/MIME email. This is > my

Update on DigiNotar and Entrust

2008-06-20 Thread Frank Hecker
As promised, here is an update on where things stand with regard to DigiNotar and Entrust. (Since a lot of this is based on information I got from Nelson, he's invited to point out where I got things wrong.) First, a recap for those who've forgotten: Recently I approved inclusion of the DigiNot