Frank Hecker:
(In reply to comment #17
<https://bugzilla.mozilla.org/show_bug.cgi?id=431621#c17>)
> FF2 allowed me to view the page eventually. The affected root is "Entrust.net
> Secure Server Certification Authority". Please strip the email trust from this
> root for now.
Eddy, I think it would be unwise (to put it mildly) to make a major change like
disabling Entrust's email trust bit in a rush. We have no idea at this point
what the impact of a change like that would be. And in any case the change is
irrelevant to Firefox 3, since AFAIK Firefox would never consult the email
trust bit.
I took this comment from the bug also to here, since I think it more
appropriate to discuss it at the mailing list.
I think we have some opposing views on the subject. Well, it isn't the
first time... :-)
CAs are today required by improving standards and best practices to
publish CRLs in an ever shorter period, down to 24 hours of renewal
period at least. OCSP responders give almost instant results on the
status of EE certificates.
CAs have procedures and regulations in place for various scenarios which
includes a security breach, key compromise, fraudulent or wrongful
issuance of EE certificates and so on. Most of the times these
regulations require action within a very limited time period.
And here you come and say that this issue, which is comparable to some
sort of compromise, more exactly a breach of the most basic policy
requirements of Mozilla, is a major change (like disabling the email
trust bit of Entrust, which they most likely never should have enabled
in first place) and that you have no idea about the impact of such a change.
Shall I tell you which impact this has on the trust and reliance for the
relying parties? Do you know how unwise it is to have CAs not adhering
to the Mozilla CA policy? Why are there no policies which require
Mozilla to react under such circumstances? Why is this an issue for
debate and discussion at all? What about Mozilla's responsibilities? I
start to get the feeling that the concepts of how CAs (should) operate,
how policies require actions to enforce them are simply misunderstood here.
Some analogy:
Bystander: Sheriff, the bank was robbed.
Sheriff: Mhhh, do you know who it was?
Bystander: It was the Entrust Gang, Sheriff, I'm sure about it.
Banker: They stole most of our assets (Trust, Reliance).
Sheriff: I think it unwise to chase the gangsters, they might have
weapons and I could get shot.
Bystander: But Sir, you are the Sheriff, you should enforce the law.
Sheriff: Right, lets see what impact this would have. I could get hurt,
I could miss the dinner, I might even....
Bystander and Banker: - Silence
Sheriff: Lets wait a little bit until they can get away far enough so a
chase would be useless.
Banker: But what about our assets?
Sheriff: I don't know, but I don't want to rush things....
I thought the Mozilla Foundation acts for the good of all projects.
Sure, Firefox doesn't need the email trust bit usually, but Seamonkey
relies on NSS, Thunderbird 3 Alpha will be out soon, Thunderbird 2
receives updates with NSS, other software relies on NSS.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
