Robin, just to answer this one... Robin Alden: > [Robin said...] > A fair point, and perhaps that is a whole other problem. Our CA *does* have > roots in NSS. >
This is correct. However your CA roots are considered legacy roots which were inherited from the Netscape era. Many critics have rightly pointed to the fact, that these legacy roots never underwent a review nor proper inclusion process. This is the reason why Frank made your request for upgrade conditional and a general inclusion request as if this were new roots. Your CA doesn't enjoy immunity because you have these legacy roots in NSS, nor does any other CA have that privilege, no matter if legacy or not. > Is this: > a) an abstract discussion to help Mozilla crystallize the details of its CA > policy, > No! Mozilla does have a CA policy and defined procedures on how CAs are included into NSS. This also includes a public discussion where relevant issues with the "to-be-included" CA can be raised. I made use of this right and raised my objection to the inclusion of your CA into NSS under the current circumstances. No decision has been made so far however. > b) a discussion about what changes to CA behaviour Mozilla would like to see > (and may insist on) from some point in time, or > No! Mozilla has the right to not include a particular CA certificate in its software products, to discontinue including a particular CA certificate in its products, /or/ to modify the "trust bits" for a particular CA certificate included in its products, *at any time and for any reason*. This includes (but is not limited to) cases where we believe that including a CA certificate would cause *undue risks to users' security*... (c) Copyright of the Mozilla CA policy > c) a trial to determine whether our CAs should be removed from Mozilla > products? > No, it's the process of considering the inclusion of your CA roots and upgrade to EV status. This is not a trial, as Mozilla has refused the inclusion of CAs already entirely in the past or made the inclusion conditional to certain aspects to their CPS and implementation. It has nothing to do with your CA per se, this is due process of the inclusion process. > We have certainly strayed from my point of entry into this process which was > to ask to have these 3 existing roots enabled for EV. > See above (first section) why this isn't the case! Additionally, to all of my knowledge, other CAs had to undergo the very same process as well and your situation isn't unique! -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto