Gervase Markham wrote:
Except that it would be an enormous amount of effort. There are 44 CAs
currently in Firefox, and 20 more in the queue.
So?
Each may have between one and ten different products.
That's why we propose the Mozilla CA policy defines this structure and
provide a framework of different levels.
All these products would need to be allocated levels,
Mozilla doesn't need to do that. The CA will assign its various
procedures to the appropriate level.
and the CAs would need to change their issuing systems
No! But if a CA wishes to make adjustments to better match this levels,
than it is free to do so. It's not a condition so.
to add the new OIDs.
Yes, this is the only requirement really. Technically this is not really
a problem. If there is no such OID it will be treated according to the
lowest level (or no level?).
And, as I believe I'm going to get to further down the thread, there
is no auditing to make sure the CA was honest in terms of doing the
correct amount of verification anyway.
Sorry? Gerv, please open a bug at bugzilla with the request to remove
all CA certificate from the NSS certificate store on the grounds, that
there is no auditing to make sure the CA was honest in terms of doing
the correct amount of verification.
Eddy's proposal is anything but "not too much trouble".
I don't understand where the trouble is really? Perhaps you explain?
But EV is backed up by audit. Eddy's proposal is not.
Utter nonsense! All CAs get audited according to their policies and
practices. The proposal is about defining SSL certificates in browsers
at last. A step long overdue. Auditing is covered by completely
different parts of the Mozilla CA policy. If you feel that it has to be
improved, perhaps make your suggestions. But the proposal has very
little to do with it!
I think the webtrusty audit includes adhering to their own standards.
And the standards for each level for each CA are public.
Except that analysing and classifying all those products from all
those CAs, and keeping up with changes, is a Herculean job.
It is not something Mozilla has to do. The CA does. The CA retains
responsibility and liability concerning correct assignment of its
issuance processes, the very same way CAs has to keep up with its
promises anyway concerning its verification and issuance procedures. Or
are you going to take over from now on the responsibility and liability?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security