ACCV (Spain-based CA run by regional government of Valencia)
https://bugzilla.mozilla.org/show_bug.cgi?id=273189 Camerfirma (Spain-based CA run by Chambers of Commerce of Spain)
https://bugzilla.mozilla.org/show_bug.cgi?id=261778 GCRA (Taiwan national root CA)
https://bugzilla.mozilla.org/show_bug.cgi?id=274106 XRamp (US-based commercial CA)
https://bugzilla.mozilla.org/show_bug.cgi?id=273189I've also include information about these CAs on my CA information page:
http://www.hecker.org/mozilla/ca-certificate-list
Of the above CAs, Camerfirma and XRamp have successfully completed a WebTrust for CAs audit, so unless anyone has objections I plan to approve their requests in the next few days. I won't take any further action on ACCV or GCRA until I get more information on their audit status.
Concerning the overall issue of CA certificates in Mozilla, etc., I wanted to make two brief comments:
First, at the moment, and for the foreseeable future, I will be acting under my previously-announced policy of approving only CAs that have passed a WebTrust for CAs audit or a "WebTrust-equivalent" audit. I have not given up on crafting a policy that would go beyond that, but it will have to wait for 2005 until I have time to work on it.
Second, CAs often ask when their certificates can get into the various products: Firefox, Thunderbird, the Mozilla Application Suite, Camino, etc. The process works as follows:
1. I approve a CA.
2. An NSS developer (typically Nelson Bolyard in the past) adds the CA's certificate to the built-in certificate library in NSS (typically to both the NSS trunk and the NSS 3.9 branch).
3. The developers for the client products (Mozilla, etc.) do whatever is necessary to incorporate the new NSS changes into their respective products. In some cases this requires reapplying the proper NSS patch to a local copy of the NSS source code used for that product.
For the CAs I'm dealing with now, my goal is to get approved CAs into the next minor releases of the products: Mozilla 1.8, Firefox 1.1, and Thunderbird 1.1. (I've also been working with Mike Pinkerton re Camino, but I don't yet know what the target release will be in that case.)
Those releases will ship sometime around the March 2005 timeframe, with code freezes earlier in the year. So any CA approved by the end of 2004 should be able to make that schedule. If CA requests come in after the end of the year then I can't make any promises as to whether they'll be able to be included in the March 2005 releases.
There are things we could potentially do to get more timely turnaround on getting root CA certificates into Mozilla, etc., including building the NSS certificate library as a standalone operation (i.e., not requiring a complete NSS rebuild) and implementing an automatic updating scheme to push out new versions of the library. (For example, this could be integrated with the Firefox auto-update scheme.) IMO this would make a great project for a volunteer interested in getting into NSS developement. I can't speak for Wan-Teh, Nelson, and the rest of the NSS developer team, but I suspect that they'd be happy to have the help.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
