Re: Comodo request for EV-enabling 3 existing roots

2008-04-02 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > Even though the Comodo request has been approved, I wonder about two > additional points which you haven't addressed at all: > > The first is about having CA roots with wrong details in NSS, like > companies which effectively don't exist anymore (AddTrust AB, U

Re: Comodo request for EV root inclusion (COMODO Certification Authority)

2008-04-02 Thread Frank Hecker
Frank Hecker wrote: > Comodo has applied to (among other things) add a new EV root CA > certificate for the COMODO Certification Authority to the Mozilla root > store, as documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=401587 > I have evaluated this request,

Re: Comodo request for EV-enabling 3 existing roots

2008-04-02 Thread Frank Hecker
Frank Hecker wrote: > This is a followup to my previous message about Comodo's application to > add a new EV root CA certificate. Comodo also has requested enabling > three existing roots, AddTrust External CA Root, UTN - DATACorp SGC, and > UTN-USERFirst-Hardware, for EV use, and also marking al

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: > > I don't want to go off on a tangent, but I think the Skype model is more > significant than you think. There is a problem that nobody knows what encryption this is and which keys are involved and who has access to these keys etc. Skype is fine for me, but I wouldn't exchange an

Re: Comodo request for EV-enabling 3 existing roots

2008-04-02 Thread Eddy Nigg (StartCom Ltd.)
Even though the Comodo request has been approved, I wonder about two additional points which you haven't addressed at all: The first is about having CA roots with wrong details in NSS, like companies which effectively don't exist anymore (AddTrust AB, UTN), location (Sweden, Utah) and other inf

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > Frank Hecker: >> (As a side note, based on my experience with and reading about >> industry dynamics, I think that advances in PKI-related technologies >> are much more likely to occur in new protocols and new products than >> in mainstream cases like browsing

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: > Gervase Markham wrote: > >> The EV distinction is clear. And EV exists precisely because the line >> between DV and IV/OV is fuzzy, and it would have been very difficult to >> correctly discern the difference programmatically. >> > > This is a key point worth emphasizing.

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Eddy Nigg (StartCom Ltd.)
Frank Hecker: > Eddy Nigg (StartCom Ltd.) wrote: > >> Yes, this is a good argument in favor of EV and EV is exactly intended >> for that. Just a pity the rest of the public PKI is left broken, no >> matter what the reasons are (by design, lack of interest, commercial >> interests, etc), becau

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Frank Hecker
Gervase Markham wrote: > The EV distinction is clear. And EV exists precisely because the line > between DV and IV/OV is fuzzy, and it would have been very difficult to > correctly discern the difference programmatically. This is a key point worth emphasizing. We use the terms "IV" and "OV", bu

Re: Audit requirements for government CAs

2008-04-02 Thread Frank Hecker
Gervase Markham wrote: > Frank Hecker wrote: >> It's a reasonable proposal, and we did look into doing this. >> Unfortunately there are .com domains and perhaps other non-.kr domains >> with certs issued by CAs in the KISA-rooted hierarchy. This is not >> unique to KISA and Korea either AFAIK.

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Frank Hecker
Eddy Nigg (StartCom Ltd.) wrote: > Yes, this is a good argument in favor of EV and EV is exactly intended > for that. Just a pity the rest of the public PKI is left broken, no > matter what the reasons are (by design, lack of interest, commercial > interests, etc), because there is more to prote

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Eddy Nigg (StartCom Ltd.)
Gervase Markham: > Eddy Nigg (StartCom Ltd.) wrote: > >> Currently the ratio of EV certs is below 1% of overall SSL secured web >> sites. If EV doesn't get a significant market share, your priorities >> might have been wrong and we should have addressed other issues as well. >> > > I don

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Gervase Markham
Kyle Hamilton wrote: > Please tell me how to completely disable all Mozilla Foundation > included CAs without having to individually change the trust settings > on all of them? I can't trust Mozilla's certificate policy to protect > my interests -- I can't trust Mozilla's policy to ensure that > s

Re: Audit requirements for government CAs

2008-04-02 Thread Gervase Markham
Frank Hecker wrote: > It's a reasonable proposal, and we did look into doing this. > Unfortunately there are .com domains and perhaps other non-.kr domains > with certs issued by CAs in the KISA-rooted hierarchy. This is not > unique to KISA and Korea either AFAIK. I personally think that, if

Re: What we want [was: Audit requirements for government CAs]

2008-04-02 Thread Gervase Markham
Eddy Nigg (StartCom Ltd.) wrote: > Currently the ratio of EV certs is below 1% of overall SSL secured web > sites. If EV doesn't get a significant market share, your priorities > might have been wrong and we should have addressed other issues as well. I don't really have the bandwidth to dive i