Eddy, If this is such a serious concern, why did Microsoft decicde to put this CA inside the Windows CA store and even distribute this via automatic update? Installment of the Telekom CA into Firefox and putting more restrictive policies for CAs into action in general are two different topics and should not be interwoven.
The comment today that Cologne University (one of Germanys largest) recommends IE as standard browser just because of this CA question shows that this issue must be resolved immediately! Best regards, Rainer On 20 Jul., 01:37, Eddy Nigg <[EMAIL PROTECTED]> wrote: > I started to review this inclusion request by reading parts of the > German version of the CP and CPS, which I understand is the only legal > document. The English version seems to be a draft only and perhaps not > legally binding. > > Nevertheless I read mostly the English version which is easier to > understand. Similar to Kathleen's comment > athttps://bugzilla.mozilla.org/show_bug.cgi?id=378882#c46I had difficulty > to come to positive conclusion concerning their handling of sub > ordination CAs and about the validation methods this CA requires. Some > has been answered in the bug, however the CP/CPS is not clear at all in > that respect and basically the concerns raised by Kathleen haven't been > addressed. > > Subordinate CAs may be external to T-Systems and as I understand not > part and covered by the audit performed by E&Y. Instead we are referred > to "contractual obligations" without defining what those obligations > are. Those obligations are not clearly defined anywhere as far as I > could see. This is a problem which has been pointed out here previously > and athttp://wiki.mozilla.org/CA:Problematic_Practices > > Apparently subordinated CAs maintain their own sets of subordinated CA > certificates - despite the illustrations and descriptions and comments > telling us otherwise, or the term of root CAs is interpreted differently > in the CPS and are actually subordinated CAs. Anyway, that's what I > found out after visiting the suggested URL in comment 52 of bug > 378882:https://www.pki.dfn.de/ > > I couldn't find any clear regulation in respect of the issuing and > maintaining of subordinated CAs which are themselves subordinated to the > T-Systems root. > > Validation of email addresses and domain names aren't clearly defined > (or I might have simply missed the relevant sections). Instead CP/CPS of > the subordinated CAs are governing and regulating those aspects > according to > commenthttps://bugzilla.mozilla.org/show_bug.cgi?id=378882#c52and domain > ownership is commented with: > > "Checking for the ownership of the domain is part of the legal process > to come to a contract with those customers (It`s no big deal to examine > the ownership of the domain via the responsible NIC)" > > The "legal processes" are nowhere defined as far as I could find in the > CP/CPS nor are alternative minimum requirements concerning validations > clearly published. I haven't seen any CP/CPS of sub CAs which regulates > those aspects nor were they examined by Mozilla so far. Nor could I find > how IP address handled, which domain names are acceptable or anything > with relevance in that respect (hostnames, wild cards, IP addresses, > FQDN etc). The same applies for email address verification. Neither have > I found how identities and organizations are validated, which might be > relevant for code signing certificates. > > My input is by no means conclusive and perhaps Kathleen or a > representative of T-Systems can point me to the relevant sections of > their CP/CPS. I reserve the right to raise additional questions during > the comments period should I find anything which should be cleared > before continuing. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
