Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Frank Hecker wrote: Comodo has applied to (among other things) add a new EV root CA certificate for the COMODO Certification Authority to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=401587 snip I have evaluated this request, as per the mozilla.org CA certificate policy: http://www.mozilla.org/projects/security/certs/policy/ and plan to officially approve the request after a public comment period. The public comment period ended last week, but we had some additional discussions around various Comodo-related issues, most notably the wildcard DV cert issue and the long-lived DV cert issue. Although I acknowledge that there were/are valid concerns associated with those issues, in the end I made a judgment call that they didn't rise to a level that would justify my rejecting Comodo's request or delaying approval. I've therefore given my final approval to this request and filed bugs 426568 and 426572 against NSS and PSM respectively: https://bugzilla.mozilla.org/show_bug.cgi?id=426568 https://bugzilla.mozilla.org/show_bug.cgi?id=426572 Frank -- Frank Hecker [EMAIL PROTECTED] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Eddy, it was certainly never my intention to lead you to conclude that the COMODO Certification Authority root certificate will only issue EV certificates and should be enabled for EV only. What I actually said was: I can assure you that Comodo never issue DV and EV certs from the same *Intermediate* CA. I did not mention Root CAs in this statement. On reflection, it occurs to me that Intermediate and Root are perhaps not the best words to use, since the now widespread use of cross-certification blurs the distinction somewhat. Perhaps the following statement is clearer: I can assure you that Comodo never issue End-Entity DV and EV certs from the same Issuing CA. In the same message, I also said ...we really need to have generic (rather than purpose-specific) trust anchors. So, please change the details on the Pending page back to how they were. As per Bug #401587 Comment #0, we still really do want the COMODO Certification Authority to be enabled for All 3 purposes: DV, IV/OV and EV. Now, Frank has said At present there are two subordinate CAs under the COMODO Certification Authority root: COMODO EV SSL CA and COMODO EV SGC CA. These two subordinates are the issuing CAs for end entity certs. This statement is correct, as long as you don't interpret ...there are two... as ...there are only two and will only ever be two As it happens, we also have a further subordinate CA under COMODO Certification Authority, which we already use for issuing one of our brands of DV certificate. We also have plans to issue an IV/OV subordinate at some point. As before, I'll defer to Robin Alden to answer any CPS-related questions you may have about this. I apologize on behalf of Comodo if we have inadvertently omitted to draw your attention to some of this information sooner. I spoke to Robin Alden earlier today. He hopes to be able to reply to at least some of your questions today. On Tuesday 18 March 2008, Eddy Nigg (StartCom Ltd.) wrote: Frank Hecker: Comodo has applied to (among other things) add a new EV root CA certificate for the *COMODO Certification Authority* to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=401587 Note that this request specifically refers to the COMODO Certification Authority root CA certificate referenced in comment #16 to bug 401587: https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c16 The details at the Pending page have been updated by Frank concerning this CA root. There are no objections to adding this root, but please note that this root will only issue EV certificates * and should be enabled for EV only, provided if and when we have that capability in NSS. Perhaps we want to open a catch-all bug for such roots which are added under this condition. * Confirmed by Rob Stradling from Comodo. -- Rob Stradling Senior Research Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Rob Stradling wrote: So, please change the details on the Pending page back to how they were. As per Bug #401587 Comment #0, we still really do want the COMODO Certification Authority to be enabled for All 3 purposes: DV, IV/OV and EV. I've changed the pending list entry for COMODO Certificate Authority back. Note that from a technical perspective (i.e., in terms of the NSS trust bits) this makes no difference. As I've noted earlier, we have no technical means to permit the use of EV certs but not DV or IV/OV roots. As it happens, we also have a further subordinate CA under COMODO Certification Authority, which we already use for issuing one of our brands of DV certificate. Could you identify the subordinate CA in question and the Comodo brand it's being used in conjunction with? This is information I'd like to add the pending list entry. Frank -- Frank Hecker [EMAIL PROTECTED] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Rob Stradling: Now, Frank has said At present there are two subordinate CAs under the COMODO Certification Authority root: COMODO EV SSL CA and COMODO EV SGC CA. These two subordinates are the issuing CAs for end entity certs. The naming convention suggest that these intermediate CAs will issue (only) EV certificates. I'm sorry that I misunderstood that. This statement is correct, as long as you don't interpret ...there are two... as ...there are only two and will only ever be two As it happens, we also have a further subordinate CA under COMODO Certification Authority, which we already use for issuing one of our brands of DV certificate. Are you issuing DV certificates from the intermediate CA certificates mentioned above? Or are there other intermediate CA certificates operating under this root besides the two mentioned above? I spoke to Robin Alden earlier today. He hopes to be able to reply to at least some of your questions today. Great, looking forward to that. Thanks! -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Comodo request for EV root inclusion (COMODO Certification Authority)
Comodo has applied to (among other things) add a new EV root CA certificate for the COMODO Certification Authority to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=401587 and in the pending certificates list: http://www.mozilla.org/projects/security/certs/pending/#Comodo I have evaluated this request, as per the mozilla.org CA certificate policy: http://www.mozilla.org/projects/security/certs/policy/ and plan to officially approve the request after a public comment period. Note that this request specifically refers to the COMODO Certification Authority root CA certificate referenced in comment #16 to bug 401587: https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c16 To simplify the process I am doing this particular root first, and then I will consider Comodo's requests related to the other Comodo roots. Frank -- Frank Hecker [EMAIL PROTECTED] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Frank Hecker: Comodo has applied to (among other things) add a new EV root CA certificate for the COMODO Certification Authority to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=401587 and in the pending certificates list: http://www.mozilla.org/projects/security/certs/pending/#Comodo I have evaluated this request, as per the mozilla.org CA certificate policy: http://www.mozilla.org/projects/security/certs/policy/ and plan to officially approve the request after a public comment period. Note that this request specifically refers to the COMODO Certification Authority root CA certificate referenced in comment #16 to bug 401587: https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c16 To simplify the process I am doing this particular root first, and then I will consider Comodo's requests related to the other Comodo roots. Sorry Frank, but I can't figure which root *exactly* you are referring to. If you also know which and how many sub roots are already issued from this root it would be helpful information. -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Eddy Nigg (StartCom Ltd.) wrote: Sorry Frank, but I can't figure which root *exactly* you are referring to. It's in the subject line and the message body: The name of the root is in fact COMODO Certification Authority. My apologies if that wasn't clear. It's the last root certificate listed in the Comodo entry in the pending list: http://www.mozilla.org/projects/security/certs/pending/#Comodo There are 11 other roots listed in that entry and included in the overall set of Comodo requests in bug 401587, but the COMODO Certification Authority root is the only new root. (As I mentioned in my previous message, I'll discuss the other roots in due course.) If you also know which and how many sub roots are already issued from this root it would be helpful information. By sub roots I presume you mean subordinate CAs. At present there are two subordinate CAs under the COMODO Certification Authority root: COMODO EV SSL CA and COMODO EV SGC CA. These two subordinates are the issuing CAs for end entity certs. Frank -- Frank Hecker [EMAIL PROTECTED] ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Comodo request for EV root inclusion (COMODO Certification Authority)
Frank Hecker: It's in the subject line and the message body: The name of the root is in fact COMODO Certification Authority. Oh, I didn't realized that...the name sounds so general, I didn't thought this to be the name of the CA root certificate ;-) There are 11 other roots listed in that entry and included in the overall set of Comodo requests in bug 401587, but the COMODO Certification Authority root is the only new root. (As I mentioned in my previous message, I'll discuss the other roots in due course.) +1 I like this approach. By sub roots I presume you mean subordinate CAs. At present there are two subordinate CAs under the COMODO Certification Authority root: COMODO EV SSL CA and COMODO EV SGC CA. These two subordinates are the issuing CAs for end entity certs. Exactly what I meant, thanks! -- Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED] Blog: Join the Revolution! http://blog.startcom.org Phone: +1.213.341.0390 ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto