Eddy Nigg (StartCom Ltd.) wrote: > Frank Hecker: <snip> >> Eddy, I think it would be unwise (to put it mildly) to make a major change >> like >> disabling Entrust's email trust bit in a rush. We have no idea at this point >> what the impact of a change like that would be. And in any case the change is >> irrelevant to Firefox 3, since AFAIK Firefox would never consult the email >> trust bit. > > I took this comment from the bug also to here, since I think it more > appropriate to discuss it at the mailing list. > > I think we have some opposing views on the subject. Well, it isn't the > first time... :-)
So let me make my own views clear on two points that you made on we ma have some opposing views: First, with respect to the impact of turning off the Entrust email trust bit, my concern is as follows: There may Entrust-controlled subordinates under the Entrust root that issue email certificates, and also non-Entrust CAs cross-signed by Entrust (like DigiNotar) that issue email certificates. Unlike DigiNotar, some of those subordinate CAs or cross-signed CAs may actually comply with Mozilla CA policy with regard to issuing email certificates. If so, I'd like to look at the possibility of adding their CA certificates as trust anchors, so that their email certificates will continue to work, and so users of Thunderbird and other Mozilla-based mail clients will not be unduly impacted by any disabling of email trust at the Entrust root level. I especially interested in whether any of the CAs waiting in our request queue have cross-signing arrangements with Entrust. If so, that may affect the priority we assign to evaluating their requests. There may be other CAs that are taking advantage of Entrust cross-signing to get their certificates recognized in Firefox, Thunderbird, etc., but have never submitted a request to us to include their roots. I am less worried about these CAs, but it might be nice to at least be able to tell them what we're doing and ask them to submit their own inclusion requests. Second, with regard to schedule: We are at a critical point in the Firefox 3 schedule, with Firefox 3 RC1 coming up fast. Firefox 3 does not use the email trust bit, so there is no need to tie any Entrust email trust bit changes to the Firefox 3 schedule. Instead we should look at the schedule for upcoming update releases of Thunderbird and SeaMonkey, and determine what sort of timeframe we have for making a change like this. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto