rainer_k wrote: > If this is such a serious concern, why did Microsoft decicde to put > this CA inside the Windows > CA store and even distribute this via automatic update? > Installment of the Telekom CA into Firefox and putting more > restrictive policies for CAs into action in general > are two different topics and should not be interwoven.
I have not yet had time to read and respond to all the messages in this thread. However I do want to make two points: First, as Eddy Nigg mentioned, Mozilla does not have exactly the same policy as Microsoft with respect to adding root CA certificates. We are a public project in which anyone can participate, and our policy is designed to address the concerns that many Mozilla community members have about adding new roots. In particular, our community members want to have a reasonable level of assurance that CAs follow basic security practices when issuing SSL, email, or object signing certificates, and they want to have some publicly-available evidence regarding those practices. That is why our policy has some (relatively minimal) requirements regarding verification of subscribers' domains, email addresses, and identities (for SSL, email, and object signing certificates respectively). That is also why we want to see Certification Practice Statements or other published documents that state that such verification is done. Second, in the case of T-Systems the issue seems to be that T-Systems functions primarily as a root CA, not as a CA issuing end-entity certificates. Therefore the T-Systems CPS does not address practices relating to issuance of end-entity certificates. The solution seems to be that we need to look at the CPS documents for DFN and other subordinate CAs of T-Systems, or obtain some other public statement about the practices of these subordinate CAs. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
