On 4/24/2015 8:58 AM, Ryan Sleevi wrote [in part]: > On Fri, April 24, 2015 8:20 am, I previously wrote [also in part]: >> 2. If the new owner is a certification authority whose root >> certificates already exist in the NSS database, that root will continued >> to be considered trusted. However, trust bits and EV status of the >> transferred root cannot exceed the collective trust and EV status of the >> other roots of the new owner. The audit cycle for the transferred root >> will be changed to match that of its new owner. > > This, of course, makes no sense, as this is not how audits or trust bits > work. Trust bits are not granted to the organization, they're granted on > the contingency of the CP, CPS, and certificate. > > An organization can have a DV and EV root. That doesn't mean new > certificates they acquire are automatically EV, nor does it mean that if > they only have a DV root, they cannot concurrently operate an EV root. > > I strongly suggest this suggestion be ignored. >
If a root has already been added to the NSS database, we must assume that it has undergone the Mozilla process for that inclusion. The process involves looking not only at the root but also at the certification authority; at least that is what appears in both the public discussion of the request to add the root and in the stream of comments in the bugzilla.mozilla.org bug report that initiates the request. If a root in the NSS database is transferred to a new owner and that new owner already has roots in the NSS database, I assert the new owner has already undergone sufficient scrutiny. I limit my assertion, however, to cases where the transferred root has characteristics (e.g., trust bits, EV status) in common with roots already owned by the new owner. That is for example, I would not accept EV status on a transferred root if none of the other roots of the new owner have EV status. We trusted the old owner of the root and we trust the new owner. Thus, we can trust the transferred root to the minimum level we trusted the two owners. In the environment of OpenPGP, this is analogous to the Web of Trust. -- David E. Ross I am sticking with SeaMonkey 2.26.1 until saved passwords can be used when autocomplete=off. See <https://bugzilla.mozilla.org/show_bug.cgi?id=433238>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
