Justin Dolske wrote: > Out of curiousity... How many (if any) such CAs are currently included > in NSS?
It's not clear, since we've never gone back and looked at all the legacy CAs. There are certainly a number of root CAs that authorize third parties to run subordinate CAs and issue end entity certificates. This is fairly common with large companies -- they get a subordinate CA cert issued by a root, and then run their own CAs internally. > It seems a little scary to be providing a way for these 3rd > party CAs to become operational in Mozilla products without going > through the Mozilla approval process. It seems like a different degree > or trust. I don't think the practice of having third party subordinates is in and itself a problem. It's just that the root CA needs to have some sort of control over the subordinates (e.g., through appropriate legal agreements), and some way of ensuring (e.g., through audits) that the subordinates operate in accordance with the controls. Remember that a lot of CAs working with enterprises outsource the Registration Authority function to those enterprises. In other words, the enterprise is ultimately responsible for doing verification of subscribers (e.g. when issuing certificates to employees and corporate web sites), even when the CA itself is issuing the certificate. Going from outsourced RAs to third-party subordinates adds some additional risk, but it's not a qualitatively different situation as I see it. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto