David E. Ross:
Is the problem here caused (or at least compounded) by the
implementation of bug #399045? See
https://bugzilla.mozilla.org/show_bug.cgi?id=399045.
No.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
Nelson B Bolyard:
I am confident that removing the email trust flag from the Entrust root
that cross certified the Diginotar root key would effectively stop certs
issued by Diginotar from being treated as valid email certs. This is the
only method in which I am confident, today.
We have
Eddy Nigg wrote, On 2008-06-24 14:56:
Another question is, what happens if the cross-signed certificate is
revoked AND NSS recognizes the revocation. Would this effectively have
the DigiNotar root show up as revoked?
It would, UNLESS any of the following were true:
1. A newer Entrust
Nelson B Bolyard:
Eddy Nigg wrote, On 2008-06-24 14:56:
Another question is, what happens if the cross-signed certificate is
revoked AND NSS recognizes the revocation. Would this effectively have
the DigiNotar root show up as revoked?
It would, UNLESS any of the following were true:
1. A
Frank Hecker wrote:
3. Find some other way to get NSS not to recognize DigiNotar certs for
email, perhaps in combination with some action by Entrust and/or
DigiNotar. For example, one idea is to have end users of DigiNotar certs
reconfigure their email clients to have cert chains that
David E. Ross wrote:
Has the failure by Entrust to enforce its policies against DigiNotar
been brought to the attention of Entrust's auditors? I think it should.
For the record, Entrust understands what our concern is and has been
cooperative in trying to come up with a way to address it.
Frank Hecker:
For the record, Entrust understands what our concern is and has been
cooperative in trying to come up with a way to address it. However the
problem is that even if Entrust were to revoke DigiNotar's intermediate
CA certificate that would not help resolve the problem, for the
Eddy Nigg wrote:
Perhaps Nelson can provide more information about the road map for CRL
fetching, but it will be soon supported by NSS. This would solve the
problem once it is.
Note that there are other things besides CRL checking per se that I'd
like to see in NSS. There seem to be a lot
On 6/20/2008 5:44 PM, Eddy Nigg wrote [in part]:
This boils down to either of the two other options. If NSS isn't able to
choose the DigiNotar root or treat the cross-signed certificate as
revoked, than the email bit of Entrust should be set to off until the
issue is solved in a different
Kyle Hamilton:
I tend to disagree.
I think that Mozilla needs to grow enough balls to boot out anyone who
doesn't continue to adhere to the standards for inclusion after
approval.
The first step is to receive a firm commitment from the CA. Before
kicking a CA out of NSS, Mozilla should make
10 matches
Mail list logo