Frank Hecker:
So let me make my own views clear on two points that you made on we ma
have some opposing views:
OK
First, with respect to the impact of turning off the Entrust email trust
bit, my concern is as follows: There may Entrust-controlled subordinates
under the Entrust root that issue email certificates, and also
non-Entrust CAs cross-signed by Entrust (like DigiNotar) that issue
email certificates.
Exactly.
Unlike DigiNotar, some of those subordinate CAs or
cross-signed CAs may actually comply with Mozilla CA policy with regard
to issuing email certificates.
Maybe, but who cares at this stage? I mean we have facts, that the trust
relationship between Mozilla and Entrust has been breached. And I'm not
blaming DigiNotar, since they never claimed to validate email addresses.
There is no way one can remove the responsibility away from the CA who's
root is in Mozilla! I think I don't have to explain that even...
If so, I'd like to look at the
possibility of adding their CA certificates as trust anchors, so that
their email certificates will continue to work, and so users of
Thunderbird and other Mozilla-based mail clients will not be unduly
impacted by any disabling of email trust at the Entrust root level.
This might be certainly welcome, however the time frame of finding those
and have them included isn't something I would make depend on a decision
for removing the email trust bit from the affected CA root certificate.
We are not in a guessing game here, we are implementing policies. We
must do our job according to the policy we've accepted.
(Besides, who cares about the subscriber anyway, it's the relying party
which matter here)
I especially interested in whether any of the CAs waiting in our request
queue have cross-signing arrangements with Entrust. If so, that may
affect the priority we assign to evaluating their requests. There may be
other CAs that are taking advantage of Entrust cross-signing to get
their certificates recognized in Firefox, Thunderbird, etc., but have
never submitted a request to us to include their roots.
We are certainly interested to know about it, however it's not our job
starting a search and rescue operation for CAs which might be under
Entrust's root and who might be affected. Besides that they themselves
might be not compliance with the policy to start with...
I am less
worried about these CAs, but it might be nice to at least be able to
tell them what we're doing and ask them to submit their own inclusion
requests.
Frank, I'm most worried about exactly those CAs. CAs which have applied
for inclusion such as DigiNotar have undergone a certain process and we
most importantly know about them. I'm worried a lot about what we don't
know!
Of course they can apply for inclusion once they realize that the email
trust bit is gone (not sure if they'd even realize, I don't have any
S/MIME certificates signed by Entrust so far in my "Other Peoples" tab).
Entrust can reapply to have that trust bit enabled again too.
Second, with regard to schedule: We are at a critical point in the
Firefox 3 schedule, with Firefox 3 RC1 coming up fast. Firefox 3 does
not use the email trust bit, so there is no need to tie any Entrust
email trust bit changes to the Firefox 3 schedule. Instead we should
look at the schedule for upcoming update releases of Thunderbird and
SeaMonkey, and determine what sort of timeframe we have for making a
change like this.
Frank, I'm using Thunderbird day-in, day-out. I rely on it. It's one of
my most important tools I've got. Nelson uses Seamonkey (AFAIK) and
relies on it. Two important users which rely on it daily! If you intend
to live up to the Mozilla policy then there are facts, which require
action in this or that way.
(Entrust can revoke the signed CA certificate if they prefer, otherwise
that trust bit must go away and a update published as soon as possible.
Do you remember that just a few days or weeks ago you explained to me
the update mechanism in case a CA must be removed/adjusted/have the EV
status changed? I'm worried that you will not live up to that, once such
a case happens.)
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
