Re: DigiNotar EV root inclusion request

2008-04-30 Thread Frank Hecker
Frank Hecker wrote: > Rather than delay this application indefinitely until those questions > get resolved, I've decided to proceed in two steps. For step 1 I'll be > formally approving inclusion of the DigiNotar root in NSS, with SSL and > object signing trust bits enabled (no email trust bit).

Re: DigiNotar EV root inclusion request

2008-04-30 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: P.S. Note that I'm shortening the normal public comment period somewhat. I'm doing that because based on the public comments I see no impediment to including the root for basic SSL and object signing, and I'd like to have Kai include it with the NSS changes for Network Solution

Re: DigiNotar EV root inclusion request

2008-04-30 Thread Frank Hecker
Frank Hecker wrote: > DigiNotar has applied to add a new root CA certificate to the Mozilla > root store and enable it for EV, as documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=369357 > I have evaluated this request, as per the mozilla.org CA certificate > p

Re: DigiNotar EV root inclusion request

2008-04-27 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: First, DigiNotar first submitted its request several months ago, at a time when its EV audit would have been current had I processed DigiNotar's application in a timely manner. ...and you would be today in a situation where you would have to remove this CA already from EV statu

Re: DigiNotar EV root inclusion request

2008-04-27 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > In relation to that and after reviewing the audit report I suggest to > request from DigiNotar an updated audit report confirming current > implementations and assertion. I'll look into the status of DigiNotar's re-audit. However I'll note up front that I'm no

Re: DigiNotar EV root inclusion request

2008-04-27 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: Note that there was an issue with DigiNotar's EV audit because at the time its production CA software did not have the necessary features to issue EV certificates; the software has since been upgraded and DigiNotar has since successfully issued EV certificates. In relation to tha

Re: DigiNotar EV root inclusion request

2008-04-27 Thread Eddy Nigg (StartCom Ltd.)
+1 Thank you Frank! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: Join the Revolution! Phone: +1.213.341.0390 Frank Hecker: Nelson B Bolyard wrote: Eddy, I'm finding it diffi

Re: DigiNotar EV root inclusion request

2008-04-27 Thread Frank Hecker
Nelson B Bolyard wrote: > Eddy, I'm finding it difficult to track exactly which certs are the > subject of discussion here. You and Frank seem to be discussing > other certs than the DigiNotar certs here. The primary focus is DigiNotar, since it's their application being considered right now. Th

Re: DigiNotar EV root inclusion request

2008-04-26 Thread Eddy Nigg (StartCom Ltd.)
Nelson B Bolyard: IMO, Mozilla should NOT trust this CA for email in that case. Correct. If that is true, then IMO Mozilla should remove the email trust bit from the Staat der Nederlanden CA. Right. When I receive bug comments (such as comment 37) in email, I read them by themselves

Re: DigiNotar EV root inclusion request

2008-04-26 Thread Nelson B Bolyard
Eddy Nigg (StartCom Ltd.) wrote, On 2008-04-25 18:44: > We are discussing the CA roots of "DigiNotar" and "Staat der Nederlanden > Root CA". The first is due that they apparently don't perform any email > validation for their client certificates and requested email bit set, > but seem not to under

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Eddy Nigg (StartCom Ltd.)
Nelson B Bolyard: Eddy, I'm finding it difficult to track exactly which certs are the subject of discussion here. You and Frank seem to be discussing other certs than the DigiNotar certs here. We are discussing the CA roots of "DigiNotar" and "Staat der Nederlanden Root CA". The first is d

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Nelson B Bolyard
Eddy, I'm finding it difficult to track exactly which certs are the subject of discussion here. You and Frank seem to be discussing other certs than the DigiNotar certs here. I think the question of principle at issue here is whether Mozilla policy ought to require that, at a minimum, any field i

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: Eddy Nigg (StartCom Ltd.) wrote: ** Concerning the Staat der Nederlanden CA, this is currently just a claim brought forward in the bug by the representative of DigiNotar and must be confirmed first. Maybe you know for certain that this is correct, I haven't verified that claim.

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > Fank, I suggest that you balance what impact it has on the relying > parties in first place (e.g. the users of your software) before you take > care about the effects of the CA. In case it wasn't clear, my primary concern is for end users of Thunderbird who mi

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: Eddy Nigg (StartCom Ltd.) wrote: Considering for a minute your statement above, what are the CAs in question doing in order to guaranty domain/email ownership? What are the controls in place which let them rely on identity validation only? This is where I think we need furt

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > Well, I consider this the minimal technical validation required. > Identity/Organization validation for S/MIME implies prove of ownership > of the email account/address. Thunderbird doesn't validate the common > name or organization field, but the email address

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Eddy Nigg (StartCom Ltd.)
Eddy Nigg (StartCom Ltd.): Taking it one step further, would you ever accept server certificates which were ID/OV validated without sufficient prove of domain ownership? I made just recently the call, that for certain types of certificates domain validation isn't enough and additional validat

Re: DigiNotar EV root inclusion request

2008-04-25 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: Eddy Nigg (StartCom Ltd.) wrote: Before going any further and after reading the entries in the bug, it seems to me that issue concerning email validation hasn't been positively resolved...can you confirm that or provide some explanation? This was/is another judgment call

Re: DigiNotar EV root inclusion request

2008-04-24 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > Before going any further and after reading the entries in the bug, it > seems to me that issue concerning email validation hasn't been > positively resolved...can you confirm that or provide some explanation? This was/is another judgment call. IIRC when we form

Re: DigiNotar EV root inclusion request

2008-04-24 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: DigiNotar has applied to add a new root CA certificate to the Mozilla root store and enable it for EV, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=369357 and in the pending certificates list: http://www.mozilla.org/projects/security/certs/

DigiNotar EV root inclusion request

2008-04-24 Thread Frank Hecker
DigiNotar has applied to add a new root CA certificate to the Mozilla root store and enable it for EV, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=369357 and in the pending certificates list: http://www.mozilla.org/projects/security/certs/pending/#DigiNot