Re: Proposal for Mozilla CA policy extension

Sun, 25 Feb 2007 11:14:00 -0800 

Nelson Bolyard wrote:

Eddy Nigg wrote:

As of today, CAs
don't have to make any commitment concerning adherence to the Mozilla
CA policy and doesn't have to sign anything....


I think I agree with you about this, Eddy.  As I understand it,
each CA whose root cert is in Microsoft's root CA list has signed a

contract with Microsoft.  

I don't know about Microsoft in that respect, but it's certainly true 
for Opera, since I have such a contract here.

One of the things the contract does is to
require the CA to hold Microsoft harmless from any law suit that might
be filed against Microsoft for a problem that was due to a CA's fault.
If a CA certifies a lie, and some user gets burned and he sues Microsoft,
the CA has to defend Microsoft and pay any judgments against Microsoft.

  

Right!

As I understand it, each root CA has to provide a bond that it can
perform that hold harmless clause, and the amount of the bond is set
forth in the contract. I think presently it's a number in the millions

of US Dollars.  

I'm not sure about that, to all of my knowledge this is not the case. 
But I suggest, that CAs should be reasonable insured for such cases...

A CA that issues subordinate CA certs to other CA
companies still has to hold Microsoft harmless for the performance of
those subordinate CAs, IINM.  That gives the root CAs plenty of incentive
to monitor their subordinate CAs for compliance with their policies.

  

Absolutely! Any certificate issued from the root CA in question is to be 
treated the same. It is the CAs full responsibility in that respect.

I think it's a shame that Mozilla
doesn't get similar protection.  Why take the risk without getting any
mitigation of that risk?

  

Right, this has to be included in the Mozilla CA policy as part of the 
overall agreement between Mozilla, the CAs, subscribers and relying parties.

Gerv wrote:

  

Definitely something for the lawyers, in that it would fundamentally

change the relationship between CA and browser. 
    


Only for mozilla browsers.

  

I suggest to look less left and right and at what others do and have, 
but simply start to do the right things. It has to be good for Mozilla 
first and foremost! Does anybody care about other software vendors? They 
won't care about Mozilla....


--
Regards

Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security























					Reply via email to