As a side note to the main topic, I find it curious and a little disconcerting that the referred link to the E&Y assessement of CrossCert, (outlined in Point 2 of "Additional Follow-ups") found on the document linked by Steve (here : https://bug1334377.bmoattachments.org/attachment.cgi?id=8831038 )
uses this web address for accessing the E&Y assessment: https://cert.webtrust.org/SealFile?seal=2168&file=pdf and that access this address gives a > Secured Connection Failure: SSL_ERROR_UNSAFE_NEGOTIATION status. This (webtrust) organisation which seems to run the role of certifying PKI distributing authorities (such as CrossCert, Symantec, etc) can't use a half decent security certificate for their own sites! Disappointing. p.s> Aferwards, running the address through SSLLabs Test it get's an F. See: https://www.ssllabs.com/ssltest/analyze.html?d=cert.webtrust.org Very Disappointing. Further information (you probably already know but just for competeness sake. >From their website: ----------------------------- What is the purpose of the WebTrust for CAs program The WebTrust for CAs program helps to ensure that proper procedures are followed in activities involving e-commerce transactions, public key infrastructure (PKI), and cryptography. In online trust and e-commerce transactions, confidentiality, authentication, integrity, and nonrepudiation are vitally important. These requirements are satisfied using PKI and SSL Certificates. A certification authority verifies the identity of an organization/entity and issues a certificate that the organization can use to prove their identity. CAs are taking an increasingly important role in the security of e-commerce. Although there are many national, international, and proprietary standards and guidelines for the use of cryptography, the management of digital certificates, and the policies and practices of CAs, these standards have not been applied uniformly. The AICPA/CICA WebTrust Program for Certification Authorities ensures that specific policies are implemented and enforced. ----------------------------- And this organisation can't supply valid TLS certificates for their own websites? Jeeeeeeee _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy