Kurt - Another disadvantage of having CAs with a relationship to something like the US FPKI or Dutch PKIoverheid also apply directly to be included as a trust anchor with Mozilla, Microsoft, etc is if a problem does pop up with one of these CAs the programs that distribute it remove it via an update or patch that requires all relying parties to accept, rather than the single trust anchor severing the relationship by revoking the certificate. Which I know does require the relying parties to be checking certificate status.
wendy Message: 5 Date: Thu, 20 Mar 2014 19:19:08 +0100 From: Kurt Roeckx <k...@roeckx.be> To: Policy Authority PKIoverheid <mark.jans...@logius.nl> Cc: dev-security-policy@lists.mozilla.org Subject: Re: "Super" CAs Message-ID: <20140320181908.gc7...@roeckx.be> Content-Type: text/plain; charset=us-ascii Hi, I think what we want to accomplish is that all CAs are properly audited with all our requirements. And from what you describe I see no problem with PKIoverheid. But I have the feeling that the Dutch government is an exception and can only hope that the others would follow the example. You say that commercial parties can also apply for this with PKIoverheid. But they could also apply directly with Mozilla for inclusion, since I understand that they would also comply with Mozilla's requirements. I'm not sure what the best approach is. The advantage I see for applying directly with Mozilla instead of some super CA: - It's more transparent. Mozilla publishes all audit reports. - We can contrain the CAs more easily. - It's easier to disable a CA in case of problems. - The hierachy gets smaller The disavantages: - The new CA would need to apply in multiple programs like Mozilla and Microsoft. - Might give more work to Mozilla. Others? Kurt NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy