Robin Alden: >> - We are not seeking to cause any harm to Comodo or unilaterally remove >> the roots from NSS. However can we seek the cooperation on the issues >> which were raised and is Comodo willing to address this issues in good >> faith? >> > [Robin said...] We are willing to address issues which are of concern to > Mozilla, provided that the same standard applies at the same time to all > CAs. >
I think this is the general understanding. > >> - Apparently you agree that the major issues we've raised, indeed pose >> a >> higher risk to the relying parties. Can we work together in order to >> improve your products to the extend that both sides can live with it >> and >> based on reasonable terms? This would improve the overall quality of >> all >> certificates issued by CAs which are included in NSS, which would >> result >> in further strengthening of digital certification in general and in >> Mozilla software in particular. It would improve also your standing in >> this industry! >> > [Robin said...] > I didn't agree that any of the issues you raised were major ones. As long as somebody else potentially has a legitimate certificate for *my* domain name because of *your* CA, this risk is for me a major one. I should be assured that nobody besides *me* has a legitimate certificate two years after I purchased the domain. This might be fine with you that other people have certificates for your domain names, it's not fine with me. > I do agree that there are a variety of levels of risk provided by the product > ranges we have discussed. > We are keen that levels of risk are reduced across the industry and we are > always happy to talk about how that can be achieved. I do not see how the > withdrawal or modification of some of our products in isolation accomplishes > that overall reduction in risk. Amend your policy so that it fully > expresses your requirements and then apply that policy to all CAs. > As a market leader you should be comfortable to lead the way and make your contribution without some other authority telling you what to do. This makes the difference between a leader and a follower. > > [Robin said...] As I mentioned before, we are commercially obliged to have > our root CAs present in the major browser and OS platforms. In the absence > of other authority it is those browsers and OS platforms that set the > standards we have to follow. Since no single browser has the entire market > cornered we are obliged to meet the union of all of the standards set by all > of the browsers. > We are prepared to comply with Mozilla's CA Policy. Well, you don't have to, if you don't want to... > We are prepared to > enter into and assist with discussions with Mozilla about changes they may > wish to make to their policy. We are also prepared to do the same with any > other commercially important Browsers and OS platforms. > I think your input could be valuable and you are invited to join any effort in that respect. Mozilla is a community project and you can be part of this community. > > [Robin said...] > I'm not the first guy you need to get to agree that your suggestions are > reasonable. > Mozilla should amend its CA policy if it believes there is something that it > does not currently address and then apply that new policy to all CAs. > The proscription of SSL products, or of details of their implementation, is > something that should reasonably be discussed collectively with the CAs and > the browsers. Can I suggest that the CAB Forum would be one place in which > the matter could usefully be discussed? Mozilla is already able to propose > such matters for discussion there through Jonathan Nightingale. > > No, because the CAB forum is for EV certificates and has failed to address many other pressuring issues, IMO. Additionally the CAB forum is a closed, interest forum of CAs and some software vendors, unaccessible to the public and/or smaller software vendors and CAs. Nobody knows what Jonathan does at the CAB forum eithe, nor do we know what the CAB forum does at all. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
