Although not actually on-topic for this thread, the following is still relevant to the overall issue of approving CA certificates.
Earlier this month, I went to a secure Web site where the site's certificate was issued by Comodo, which did not yet exist in my Mozilla 1.7.2 database (now upgraded to 1.7.3). I downloaded and added the necessary Comodo CA certificate -- Comodo Class 3 Security Services CA -- because it is on Mozilla's "approved but pending" list at <http://www.hecker.org/mozilla/ca-certificate-list/>. But I still had a problem. It turned out that the Comodo certificate was signed by the GTE Cyber Trust Global Root certificate, which I had disabled (but not deleted) because GTE Cyber Trust is not on the WebTrust list. It turns out that GTE Cyber Trust no longer exists (and thus can't be listed by WebTrust), having been bought by Betrusted. Since Betrusted is listed by WebTrust, I re-enabled the GTE Cyber Trust Global Root certificate to solve my problem. However, not even WebTrust has been able to confirm whether Betrusted's WebTrust "seal" applies to all CAs (several) that Bestrused has acquired. WebTrust is still investigating the status of the GTE Cyber Trust Global Root certificate. In the meantime, I am somewhat uneasy about having re-enabled that certificate and again disabled it pending the results of WebTrust's investigation. This adventure illustrates two issues that need to be addressed, partially in the Mozilla CA Certificate Policy and partially in Mozilla's practices. 1. When a CA certificate was issued and signed by a different CA, it should not be approved and included in the Mozilla database unless the certificate for that other CA is also approved and included. If the latter CA does not meet the criteria for inclusion, the former CA should issue and sign its own certificates. But what impact does that have on site certificates already issued by the former CA and signed with the defective CA certificate? 2. If the ownership of a CA changes, what steps should be taken to ensure that the practices by which its certificates were approved for inclusion in the Mozilla database still prevail? It is NOT unknown for criminals to buy out legitimate businesses. Does WebTrust periodically re-evaluate CAs? For CAs approved by Mozilla through its own evaluation, should not Mozilla re-evaluate at least each time ownership changes? -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
