Yes, I understand that. You're learning about the trust issues as you go.
But you're asking to be trusted in the same league as other CAs who, ...
well ... frankly, they have staff members who probably understand all these issues better than you and I together do today. That gives me pause.
No, my comments about that were in relation to policies and documentation, the security side of things have all been brought up and dealt with a long time ago.
That should speak to how few web surfers know what CAs are.
The bigger question is how few web surfers care about security.
Well, considering that a large percentage (all?) of your certs issued to date include the issuer name and serial number in their Authority Key ID, you're not going to be able to retire the old root CA cert very soon, without effectively revoking all the certs you've issued to date.
Phase out period of 6 months, which most will have been revoked in that time, with the new one effective from then, since it's impossible to include OCSP URIs without changing the root certificate we're in a rock and a hard place unfortunately.
So, you're going to have multiple roots simultaneously in effect. You could have avoided that by using only key IDs and not issuer name and serial number in your authority key IDs, as recommended by RFC 3280.
I haven't had time to check this RFC yet, I will be shortly...
You really don't want to be asking MF to add new root certs for you to mozilla every few months IMO. Looks to me like you'll need to ask that two be added. And hopefully not too many more soon thereafter.
Actually we're asking for 3 maybe 4, by maybe depends how long the current policy debate takes.
I'd like 1 root certificate and 2 sub roots, root stored off line, with the 2 sub roots doing all the issuing, 1 for client, 1 for server.
Well if all those servers have a common DNS name, then your DNS servers will be the target of DDoS attacks.
DNS can very easily be distributed as well.
Once a mozilla user "primes the pump" by loading the first CRL, then yes, the rest can be loaded automatically.
MS IE does this checking regardless if it's been primed or not, I've added the URL to the website regardless.
Chuckle. There have been probably 50-100 or more bugs filed against mozilla, 100% of which were from openSSL users who reissued their certs and had open SSL start over with serial number 0 each time. We finally had to add a special error code to mozilla just to report this particular problem because it was SO COMMON. Maybe OpenSSL has finally fixed this, I dunno.
Hmmm I hadn't actually come across this bug... _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
