Gervase Markham wrote: > - Mozilla writes loads of code to detect each different type of CA > certificate and make sure that NSS knows what level it corresponds to > (or are we doing that bit by asking the CAs to include new OIDs?)
You wrote that in the present tense (or is it present progressive), as if that is what mozilla does today. Today, all certs are reckoned to be at the same level. That's why we're here discussing this! We're not asking the CAs to include new OIDs. But that's the general direction of the cert standards, such as RFC 3280, and that's what CAs are doing. We're going along with it. We're implementing the ability to recognize and validate certificate policy extensions now. Hope to have that this year. Eddy Nigg wrote: >> However there is another thing which I'd like to mention and suggest >> adjustment of the policy and CA inclusion process: As of today, CAs >> don't have to make any commitment concerning adherence to the Mozilla >> CA policy and doesn't have to sign anything. I think this is >> "interesting" to say the least. I suggest to let CAs sign the Mozilla >> CA and a statement like: "By requesting a CA certificate to be >> embedded in Mozilla software, the CA agrees to adhere to the this >> policy in full..." and confirm to have read, understood etc. of the >> same paper...Something for the lawyers obviously, but I think it has >> to be done in some way. I think I agree with you about this, Eddy. As I understand it, each CA whose root cert is in Microsoft's root CA list has signed a contract with Microsoft. One of the things the contract does is to require the CA to hold Microsoft harmless from any law suit that might be filed against Microsoft for a problem that was due to a CA's fault. If a CA certifies a lie, and some user gets burned and he sues Microsoft, the CA has to defend Microsoft and pay any judgments against Microsoft. As I understand it, each root CA has to provide a bond that it can perform that hold harmless clause, and the amount of the bond is set forth in the contract. I think presently it's a number in the millions of US Dollars. A CA that issues subordinate CA certs to other CA companies still has to hold Microsoft harmless for the performance of those subordinate CAs, IINM. That gives the root CAs plenty of incentive to monitor their subordinate CAs for compliance with their policies. So, Microsoft is getting protection, in the form of a limit of liability, that Mozilla is not getting. I believe that Opera uses similar contracts with the CAs whose roots they include. I think it's a shame that Mozilla doesn't get similar protection. Why take the risk without getting any mitigation of that risk? Gerv wrote: > Definitely something for the lawyers, in that it would fundamentally > change the relationship between CA and browser. Only for mozilla browsers. > Currently, we have no contract, and so no obligation to continue > including the cert. So if mofo/moco gets sued, it can remove the offending CA's cert. Doesn't seem like much protection for mozilla, to me. > A contract would probably have commitments both ways, implied if not > explicit. Is that a bad thing? _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
