NSS

Comment 115 for bug 310999

(In reply to Paul Rubin from comment #18)
> Paul (comment #12): Mozilla in my opinion should stay out of the PKI
> business.

If this is the case, Mozilla should shut its entire root inclusion program down. This isn't going to happen.

If Mozilla had been running a cross-certification authority, it would have been able to revoke the cross-certificate and this entire problem would be obviated. (Of course, this would also rely on cross-certificates working properly, which they currently do not.)

The lack of this has directly impacted the safety and security of Mozilla's customers.

  See some of the discussion including Nelson's comments (and mine)
> at bug #215243. The acceptance criterion is 3rd party audit of prospective
> CA's.

You're right. It is the acceptance criterion.

What the PKI section (i.e., kwilson) would be doing is certifying that they've received all of the documentation (including audit statement), the comment period didn't turn up anything show-stopping, and that the audit is good until the date that the cross-certificate expires.

Alternatively, we could embed long-term cross-certificates, and rely upon OCSP or CRLs downloaded in evaluation.

But I don't really think that "in my opinion" is good enough to say no.

Iran used the *.google.com certificate from Comodo to locate and assassinate dissidents in the month of botched revocation handling between Mozilla and Microsoft. There has been active loss of life, demonstrable harm. Do you still hold the opinion that Mozilla shouldn't be in the PKI business? (I'm replying to a comment from 2008, there has been adequate time for minds to change.)