On Dec 31 2008, 12:27 am, Frank Hecker hec...@mozillafoundation.org
wrote:
Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domai...
It might need some improvement. Frank, can you review? This will affect
On 01/12/2009 11:27 AM, wolfgang.piet...@t-systems.com:
Frank,
The Comodo topic has once again sparked a fierce discussion about the
validity of certificates, how appropriate levels of security and trust
should look like and what to do to establish them.
Since we expect this discussion to
On Jan 12, 10:45 am, Eddy Nigg eddy_n...@startcom.org wrote:
On 01/12/2009 11:27 AM, wolfgang.piet...@t-systems.com:
Frank,
The Comodo topic has once again sparked a fierce discussion about the
validity of certificates, how appropriate levels of security and trust
should look like and
On 31.12.2008 19:57, Frank Hecker wrote:
Kyle Hamilton wrote:
Ummm... has an enterprise PKI ever been included in Mozilla?
Sorry, I wasn't being clear here. I'm not referring to enterprises
that have their own root CAs. I was referring to schemes where
enterprises work through CAs like
On 01/02/2009 06:55 PM, ro...@comodo.com:
That thread has a lot going on and I don't propose to try to
address it all. However, I will address your reading of our CPS in an
attempt to bring some degree of clarity.
If I correctly understood your referenced post, you asserted that:
1)
Kyle Hamilton wrote:
Ummm... has an enterprise PKI ever been included in Mozilla?
Sorry, I wasn't being clear here. I'm not referring to enterprises that
have their own root CAs. I was referring to schemes where enterprises
work through CAs like VeriSign to issue certificates to their own
On 12/31/2008 08:57 PM, Frank Hecker:
employees, servers, etc. IIRC in a number of these schemes the CA is
responsible for actually issuing the certificates but the validation is
done by the enterprise. (For example, the CA might provide a web-based
interface by which authorized representatives
On 12/31/2008 12:30 PM, Rob Stradling:
Yes, Reseller and RA are 2 distinct roles. However, in some cases, a single
entity may choose (and be approved) to perform both of these roles.
I fully agree that the Reseller role should not perform any validation
procedures at all.
Robin, could you
Ian G wrote:
Which language suggests they have to do verification *themselves* ?
The fact that the policy talks about a CA, and I didn't see talk about
external entities.
BTW, it would be quite problematic to insist that the CAs do this job
themselves.
CAs are not generally experts on
On 12/30/2008 03:24 PM, Kai Engert:
As I see verification as the core intention of the CA principle, I would
have assumed above requirement is obvious to everyone, at least to CAs
themselves.
One of Comodo's CPS (the one responsible for PositiveSSL) claims:
To validate PositiveSSL and
Eddy Nigg wrote:
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ...
Kai, just
On 12/30/2008 08:39 PM, Kai Engert:
Eddy Nigg wrote:
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated
On 30/12/08 20:41, Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
My comment: it is written like a requirement, using MUST. This is
confusing, and it bypasses
On 12/30/2008 10:46 PM, Ian G:
On 30/12/08 20:41, Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
My comment: it is written like a requirement, using MUST. This
Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
It might need some improvement. Frank, can you review? This will affect
obviously only future inclusion requests and
On 12/31/2008 01:27 AM, Frank Hecker:
One reason I say this is good CA practice as opposed to a mandatory
requirement, is because of cases like enterprise PKIs where the
enterprises might act as RAs and do verification based on their own
internal systems (e.g., HR databases).
I think this is
On 28.12.2008 12:13, Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it. The verification task is the most important task. All
people and
processes involved should be part of
Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it.
snip
In my opinion, it means, a CA must do this job themselves.
My quick personal perspective on this (and I'll apologize in
On 12/29/2008 08:04 PM, Frank Hecker:
When we created the policy I was well aware of the existence of RAs and
of the possibility that CAs might outsource functions like domain
validtion to RAs. Whether or not this is clear from the policy (and I
guess it's not, since you and others are asking
On 29/12/08 23:37, Kyle Hamilton wrote:
This comment is likely going to be viewed as being in poor taste...
It is rather on point. It is also likely to be viewed as poor taste :)
Wasn't it a lack of regulation that managed to put the US and the rest
of the world into this economic
On 29.12.2008 19:04, Frank Hecker wrote:
So, in theory at least a WebTrust for CAs audit is supposed to confirm
management's assertions that verification of subscriber information is
being done properly, including any verifications done by third-party
RAs acting on behalf of the CA. In
On 12/30/2008 04:04 AM, Ben Bucksch:
So, who actually controls that verifications are done at all? I mean,
paper is nice, I can claim and write all I want, and not actually do it,
but I thought the point of the audit was to *check* and control and
ensure that the processes are *actually* carried
On 12/30/2008 04:23 AM, Eddy Nigg:
This is most likely not what the Mozilla CA Policy envisioned and
requires. As a matter of fact, we could have known about it and
considered it insufficient during Comodo's review last spring.
Unfortunately even if it came up in some form, it drowned by the
Hi Kai,
long reply, I appreciate the grounding in actual policies and practices!
This allows us to explore what we really can and cannot do.
(I've cut two of your comments out to other posts where they might be
generally intersting for the wider audience.)
On 28/12/08 12:13, Kai Engert
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ...
Kai, just to counter Ian's
25 matches
Mail list logo
