On Fri, May 2, 2008 at 8:08 AM, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote: > In comment https://bugzilla.mozilla.org/show_bug.cgi?id=431621#c5 the > representative of DigiNotar (Kick) notes that their CA root has been > cross-signed by Entrust. Now this effectively circumvented our policy in > case of DigiNotar.
DigiNotar is not alone in having a root cross-signed by Entrust; this was apparently fairly common practice among new CAs trying to get recognized in browsers. This issue will take a while to sort out I think. I don't know exactly how widespread this practice was/is, and I think there are also some technical issues in NSS regarding certificate path processing that may affect this. > As I understand, until the release of FF3 no new CAs will be included and > approved. That is half true. I will still consider CA applications during the time between now and Firefox 3 launch, and if appropriate I will approve new CAs for inclusion and file the necessary bugs against NSS and (for EV) PSM. However as a practical matter I think any new CAs approved past today will not appear in Firefox until the 3.0.0.1 update release (at the earliest). > I suggest that we invest our time to bring our house somewhat in > order before we continue. I would like to put the following points to the > agenda: <snip> I agree that this would be a useful time to do some housekeeping work. > Frank, could we work out a plan and time frame for the points above? Are > there other issues which should be added? Other suggestions, objections? Besides the points you mentioned, here are some things I think need to be done: 6) Make sure that bugs have been properly filed for all known CA requests. 7) Make sure that all bugs forCAs have a correct status. (For example, mark bugs as RESOLVED FIXED where appropriate). 8) Make sure the "included" page on www.mozilla.org is revised to reflect all new CAs approved for inclusion as of now. 9) Make sure the "pending" page on www.mozilla.org has an entry (possibly very minimal) for all CA requests for which bugs have been filed. 10) Find a person or persons to help with basic information gathering on CAs. (This is somewhat different from your point about the overall CA decision process). The items above are actually my highest priority right now. I think we need to have correct information for where we are right now before trying to start major new projects like CA management tools. Frank -- Frank Hecker _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto