Nelson B wrote:
Please compare the built-in CA list for Communicator 4.7x and mozilla (any recent version). IIRC, mozilla's list is smaller. Yet it was derived from Communicator's list. If my memory isn't mistaken here, then CAs have been pulled from the list.
Right, but that's not quite "pulling" is it? That's "declining to copy."
Not if it's done by the same party, which it was. mozilla's present CA list is actually Netscape 7.1's list, that is, the final Netscape browser's CA list. Netscape/AOL managed the NSS CA list until about a year ago, up until moz 1.4 which is approximately equal to moz 1.4, in my judgement. Netscape 7.x's CA list did not include all the CAs in Communicator 4.x's list, IINM.
You doubted that any root CA list has ever been reduced, that any CAs have ever been removed. I cited an example.
It's not at all apparent to me that mozilla should have any less control, less ability, or less risk, than Netscape had, over removing CAs from the list. And Netscape did take money.
I see no reason why mozilla shouldn't do something similar, and say "we're going to concoct a new list every so often".
[...] what does it take to convince WebTrust that some party they've audited is no-longer following the audited practices, and therefore that party's seal ought to be reconsidered.
I recently learned that at least one "authenticode" cert has been revoked by its issuer because the issuer believed that the party to whom the cert was issued was violating some rule, probably some aspect of some agreement. I'm not familiar with the terms of the agreement(s) to which an applicant must agree to receive an authenticode cert, but that might be instructive to find out.
I suppose the issue here is that if a CA has a WebTrust, and the seal is pulled, then there is no problem with pulling Mozilla's root distro. Then, for a CA without a WebTrust, they probably wouldn't cause too much of a difficulty anyway, so that isn't an issue.
The remaining danger area is a CA with a WebTrust
where Mozilla has decided to pull it, and WebTrust
has not. On this, having a policy that clearly
spells out that it can be pulled at sole discretion
by MF, and taking no money (very important,
I agree. MF's policy needs to address that.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
