Re: Proposal for Mozilla CA policy extension

Wed, 21 Feb 2007 05:51:44 -0800 

Hi Mister Charter77,
It would be nice, if you would post as a person and not as an email address... 

[EMAIL PROTECTED] wrote:

The project you propose is monumental in terms of 1) categorizing the
hundreds of certificate classes offered by the dozens of CAs, and

Again no! It was explained various times by now, that the Mozilla CA 
policy will provide the framework of four levels (according to the 
proposal) and the CAs will match their verification procedures to the 
appropriate level. It doesn't matter how many classes and levels a CA 
provides, it will have to define which of them matches which level. 
Nothing more to do here!

 2)
auditing compliance with the new tiers.

Again no! There is nothing new here in that respect. The Mozilla CA 
policy will not define/change CA policies and practices. No new audits 
are needed. Nothing will change in this respect. As you indicated, there 
are many different levels of verifications performed at CAs, just the 
browsers don't know what to do with it, because of the lack of proper 
definition. This is what it's all about.

  It could also take up to
three years to bring the new classification system online, assuming
CAs would only issue certificates with the new OIDs upon renewals.

  

CAs issuing certificates with longer validity than one year are anyway 
acting irresponsible! Or can anyone guaranty that during the course of 
one or more years, the subscriber:


- Didn't changed its name?
- Changed its address?
- Did renew its domain name? **

Ouch, to put it mildly.

Ouch for the CA issuing certificates for three years....eat your hat!


** Just imagine, you have a certificate valid for three years and owned 
a fairly popular domain name. You simply don't renew the domain name and 
another party picks the name. Now you have a completely valid 
certificate for a domain name which doesn't belong to you anymore. How's 
that?!


--
Regards

Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

























					Reply via email to