Eddy Nigg wrote, On 2008-12-16 18:20: > On 12/17/2008 03:42 AM, Nelson B Bolyard: >> Do the new certs for S-TRUST have the same key, or do they have >> different keys? If they have different keys, do they also have different >> subject names? >> Do they have different Subject Key ID (SKID) extension values? >> Do the certs they issue have Authority Key ID (AKID) extensions? > > Nelson, see this attachment from Kathleen: > https://bugzilla.mozilla.org/attachment.cgi?id=337729 scroll to page two > and come to your own conclusions.
One of the reasons I asked the question is that MS Word files present a problem for me. But I did dig up the URLs for the 4 CA certs, and examined those certs. Each of them has a separate subject name, public key, subject key ID, authority key ID, and of course validity period. To be honest, I think this is a burden that Mozilla ought not to bear. Mozilla should not put itself into a position of needing to add a new root CA cert for this CA every year, and then keep them for a long time thereafter. Further, if (as the bug suggests) the REAL PRIMARY purpose of this CA is to provide German citizens with SSL client certificates, and it is not used to issue SSL server certs, then it is (or should be) unnecessary for their browsers to have this CA cert AT ALL. For SSL client auth purposes, it's quite sufficient for the browser to just have the user's cert and private key and no CA cert at all. The server sends down a message saying "if you have a cert issued by this CA, send it". The browser examines the certs it possesses to find ones that have the desired string in the issuer name, and for which the browser has the private key. Having the CA cert is unnecessary. While some German law or regulation may require them to issue new roots annually, I doubt that it prevents them from also issuing intermediate CA certs with the same subject name, key, subject key ID, etc, but issued by some single common root that changes infrequently (these are so-called cross signed CA certs). With such a scheme, that root that issues the cross signed certs can be the one to get put into Mozilla with email trust. So, My advice is: just say no. Don't take on the burden of adding a new root CA cert every year when there is no good need. Please consider this an objection to including those roots in the root CA list. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
