>> I must say this: you're REALLY underselling your own practices. > > This is more to do with the fact of us unsure of what we need > documented, and the fact none of us have ever undertaken anything of > this nature in the past, so it's all a learning experience for us.
Yes, I understand that. You're learning about the trust issues as you go.
But you're asking to be trusted in the same league as other CAs who, ...
well ... frankly, they have staff members who probably understand all these issues better than you and I together do today. That gives me pause.
>> For example, Your CA apparently operates a working CRL, but I didn't >> find that mentioned ANYWHERE on your web site. I didn't find any link >> about revocation or CRLs on your web pages. > > It's tagged on every single certificate issued, as well as the root > certificate itself, in the last 18 months have only been asked for the > URL once...
That should speak to how few web surfers know what CAs are.
> Also we are planning to change to another root certificate
Well, considering that a large percentage (all?) of your certs issued to date include the issuer name and serial number in their Authority Key ID, you're not going to be able to retire the old root CA cert very soon, without effectively revoking all the certs you've issued to date. So, you're going to have multiple roots simultaneously in effect. You could have avoided that by using only key IDs and not issuer name and serial number in your authority key IDs, as recommended by RFC 3280.
> this is for a number of reasons, one of which is to include the OCSP > url which we are still playing with to get working...
You really don't want to be asking MF to add new root certs for you to mozilla every few months IMO. Looks to me like you'll need to ask that two be added. And hopefully not too many more soon thereafter.
> Also with the OCSP setup, I plan to distribute these setups > (only CRLs so privacy isn't an issue) across the globe, that way even if > we get DoS'ed revoked certificates will still be accessable...
Well if all those servers have a common DNS name, then your DNS servers will be the target of DDoS attacks.
>> Your web pages should have a link to download your CRL right next to the >> link to download the root CA cert itself. mozilla (the browser) will >> automatically download updates after that. > > I was under the impression, that mozilla (the browser) was like MS IE in > that it automatically checked based on CRL urls in certificates...
Once a mozilla user "primes the pump" by loading the first CRL, then yes, the rest can be loaded automatically.
>> So, your CRL's appear to work with mozilla. Working CRLs are WAY WAY >> better than no CRLs. I'd consider a CA with CRLs _OR_ OCSP to have a >> passing mark on the revocation question, for example. >> OCSP servers in tsunami-resistant UPS-lined caves are merely icing on >> the revocation cake. > > I'd consider distributed OCSP responders a better option again :)
For clients, yes. CRLs are best for servers doing client authentication.
>> So, I encourage you to be more forthcoming with info about your >> practices. >> >> Here are a couple more suggestions that might help. >> >> 1. Make your CRLs available by http, as well as, or instead of https.
> the CRL is accessable via both SSL and non-SSL, and I'll be placing a > link to it on the website.
Good, make sure the URL in your non-ssl certs is the http one.
>> 3. NEVER reuse a serial number that you've previously put into a cert >> you've issued, ESPECIALLY not for your root CA cert. > > OpenSSL issues the serial numbers, and as far as I know, never issues > multiples with the same serial number.
Chuckle. There have been probably 50-100 or more bugs filed against mozilla, 100% of which were from openSSL users who reissued their certs and had open SSL start over with serial number 0 each time. We finally had to add a special error code to mozilla just to report this particular problem because it was SO COMMON. Maybe OpenSSL has finally fixed this, I dunno.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
