During the last few month many issues concerning sub-ordinated CA certificates of CAs, considered for inclusion and CAs already included in NSS, have come up at this forum. Today exists a situation where the Mozilla CA policy doesn't provide enough guiding and definition, because the policy was defined originally with assumptions not holding the water for todays realities (freely quoting Frank here).
I have the feeling that everything related to sub-ordinated CA certificates has reached "dangerous" levels and makes it almost impossible to clearly know if the Mozilla CA policy is still protecting the user of the various Mozilla products. There are and were various situations and setups of different CAs from: - governmental institutions issuing sub CA certificates to "authorized" CAs, - sub CAs shipped via Internet download by the issuing CA, - CAs which are chained to such an extend, that it's hard to believe that the CA which has its root in Mozilla, has any control over the issuing entity, - sub CAs without any clear policies in place, - Auditing of said CAs simply non-existent and more... Additionally, in a short time, various CAs will be considered for "upgrading" to EV status, including at least one CA with more than _124_ sub ordinated CA certificates, of which all of them are supposed to receive this status. This is such a wide spread phenomena which has outgrown our current policy to such an extend, that _I'm requesting hereby and now to have thorough review of this situation and reassessment_ of the Mozilla CA policy concerning everything related to sub-ordinated CAs. Please note that I'm not making any suggestions and arguments right now about what a sound policy should be, rather I believe that it requires an extensive assessment of the current situation and related discussion in order to define the best definitions. But there is going to be an unbelievable, explosive situation also in relation to EV upgrades which perhaps nobody of us has foreseen, a situation which goes completely against the spirit and objectives of EV itself - the major reason why Mozilla has supported this effort in first place! In connection of this request, I'd also like to have cross-signing between CA roots defined in the Mozilla CA policy, since cross-signing might touch a similar field, which could at some point land us in a similar situation of loosing control. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
