Frank Hecker wrote:
In accordance with the schedule at
https://wiki.mozilla.org/CA:Schedule
I am now opening the first public discussion period for a request from
Microtec Ltd to add the Microsec e-Szigno Root CA root certificate to
Mozilla. This is bug 370505, and Kathleen has produced an information
document attached to the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=370505
First, my apologies for the delay in my responding to the public
comments. I've messed up the schedule I previously outlined; see below
for my proposal to revise the schedule and deal with the Microsec request.
I've read through all the public comments. Rather than try to respond to
each and every comment, I've written a brief summary of my
understanding of the various issues raised. Please feel free to correct
my understanding where appropriate.
* Translation of the Microsec CPSs. As I noted in my original message,
all of the Microsec CPS documents are available in Hungarian only. Our
policy does not mandate that CA documents be available in English, so I
don't see a justification for requiring that Microsec prepare official
English translations. Thus far we've relied on Microsec-provided
translations of key CPS sections; the Mozilla Hungarian localization
team (in the person of Kálmán Kéménczy) was kind enough to verify the
accuracy of the translations.
IMO Getting human-created English translations of all the CPSs is going
to be too difficult and time-consuming to be feasible, at least in the
near term. I've followed up on the tips provided by Eddy Nigg and
researched various options for machine translation of Hungarian. It
appears that the best online option is the Webforditas.hu site:
http://www.webforditas.hu/web-translator.php
http://www.webforditas.hu/translation.php
The company behind the site also sells a Windows-based translation
application (MorphLogic). I'm going to try and see if I can use either
the site or (more likely) the application to get rough translations of
relevant CPS sections, starting with the tables of contents.
* Liability associated with Microsec certificates. There were a number
of comments relating to the monetary liability associated with Microsec
certificates. The thread was interesting in relation to understanding
practices in Hungary and the EU, but I think that ultimately it is not
relevant to our consideration of this request. Our policy does not have
any requirements relating to monetary liability of CAs, and I am not
persuaded that disclaiming liability in certain contexts causes security
issues for typical Mozilla users. I'm therefore minded to ignore this
issue for purposes of evaluating this request.
* OCSP. My understanding is that the Microsec practice of having a
separate root for OCSP is very problematic, particularly given the
inclusion of AIA extensions with OCSP URLs in end entity certificates.
As I understand it, Microsec is removing AIA extensions with OCSP URLs
from end entity certificates and from intermediate CA certificates, and
this should address this problem going forward. However there still
appears to be an open question as to whether having an AIA extension
with OCSP URL in the Microsec root certificate will cause a problem with
NSS. (Nelson wrote that he was going to investigate this, but I don't
recall seeing a followup to this.)
Based on the above, my inclination is to postpone consideration of this
request for at least two weeks. That will give me time to try to get
more of the Microsec CPS content translated, and also to get a final
answer on the question of root certificates with AIA extensions with
OCSP URLs. Once those two things get done I'll formally start a new
public comment period. (You can still comment in the meantime, of
course; I'm just setting a formal date for purposes of scheduling CA
requests.)
I've revised the CA schedule to reflect this delay:
https://wiki.mozilla.org/CA:Schedule
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
