At 10:48 AM -0400 5/2/08, Frank Hecker wrote: >On Fri, May 2, 2008 at 8:08 AM, Eddy Nigg (StartCom Ltd.) ><[EMAIL PROTECTED]> wrote: >> In comment https://bugzilla.mozilla.org/show_bug.cgi?id=431621#c5 the >> representative of DigiNotar (Kick) notes that their CA root has been >> cross-signed by Entrust. Now this effectively circumvented our policy in >> case of DigiNotar. > >DigiNotar is not alone in having a root cross-signed by Entrust; this >was apparently fairly common practice among new CAs trying to get >recognized in browsers. This issue will take a while to sort out I >think. I don't know exactly how widespread this practice was/is, and I >think there are also some technical issues in NSS regarding >certificate path processing that may affect this.
I certainly hope there are path processing issues! Either the trust anchor stands on its own, or it points to a higher-up CA through name chaining. There is also a policy question of whether or not Entrust's CPS says what cross-signing means in a way that both we and the auditors can understand. On its face (without having read the documents), I think it sounds pretty shaky to have a CA saying "you can trust that other CA to do the right thing because you trust us to do the right thing" when there is no easy financial chain of trust we can follow. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
