Eddy Nigg (StartCom Ltd.) wrote: > Robin, just to answer this one... > > Robin Alden: >> [Robin said...] A fair point, and perhaps that is a whole other >> problem. Our CA *does* have >> roots in NSS. >> > > This is correct. However your CA roots are considered legacy roots which > were inherited from the Netscape era. Many critics have rightly pointed > to the fact, that these legacy roots never underwent a review nor proper > inclusion process. This is the reason why Frank made your request for > upgrade conditional and a general inclusion request as if this were new > roots. Your CA doesn't enjoy immunity because you have these legacy > roots in NSS, nor does any other CA have that privilege, no matter if > legacy or not.
I don't have time to respond to each and every point in this whole discussion, but I did want to respond to this one. As Eddy notes, we have a lot of roots in Mozilla that were inherited from the old Netscape days. We now have a formal policy by which we evaluate requests from new CAs, including new CAs issuing EV certs, and I thought it was unfair to evaluate only new CAs and forever exempt old CAs from similar scrutiny. Thus as the opportunity arises I've been trying to go back and look at old roots. Requests by various CAs to enable old roots for EV use presented just such an opportunity to not just look at the EV-related aspects of the CAs but also to review how other aspects of the CAs stacked up vis-a-vis our CA policy, and let people in the Mozilla community (which means potentially anyone) to make comments and suggestions relating to particular CA requests. This is just the way we work; we're not Microsoft or Apple, we're a public project and we have public processes. Doing such reviews and allowing such comments does not imply that I'm going to be pulling old roots out of NSS and Firefox. It also does not imply that I'm going to hold up EV-related requests until CAs address all comments and adopt all suggestions, or until we decide whether our policy needs revising and how to revise. This is particularly true where the issues involve CA practices related to non-EV certs, since those issues will not be affected one way or another by our enabling CAs for EV. However I think it's perfectly reasonable for us (Mozilla in general) to formally call out CA practices that may not be explicitly addressed by our policy, and that may not affect my decisions under the policy, but that we consider to be problematic in one way or another, and to publicly encourage CAs to modify them in various suggested ways. Issuing long-lived DV certs and wildcard DV certs may be particular practices worth our having some formal positions on, even if they're not addressed by our official policy. Frank _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto