On 2/2/2010 2:45 PM, David E. Ross wrote:
> On 2/1/2010 4:02 PM, Kathleen Wilson wrote:
>> I have created a new wiki page which outlines the process for changing a
>> root certificate that is currently included in NSS. This includes the
>> process for disabling or removing a root certificate from NSS.
>> https://wiki.mozilla.org/CA:Root_Change_Process
>> This page is linked to from https://wiki.mozilla.org/CA:Overview in the
>> "Work in progress" section. The link is called "Root Change Process".
>> In writing this process, I have taken into account input that was
>> provided through previous discussions, bug postings, the previous
>> removal policy notes
>> (https://wiki.mozilla.org/CA:Root_Removal_Policy_Notes), and my current
>> work to clean up the legacy roots that are no longer audited/used.
>> I will greatly appreciate your feedback on the new documentation for the
>> root change process: https://wiki.mozilla.org/CA:Root_Change_Process
>> Kathleen
> Much of this Wiki reads like a policy and not merely a procedure. After
> an extended public discussion, I think this should be subjected to
> formal approval by the Mozilla organization, moved out of
> wiki.mozilla.org, and made into a Web page at
> http://www.mozilla.org/projects/security/certs.
> Under "Add a Trust Bit", the first two bullets under #4 currently read
> as if an existing bug report is being updated. However, #4 is clearly
> about a new bug. In the first bullet, "Change the bug summary ... "
> should instead be "Set the bug summary ... ". In the second bullet, "In
> the bug description add a reference ... " should instead be "In the bug
> description, include a reference ... ". (Note the added comma.) This
> same comment applies to #4 under "Enable EV".
> Under "Disable a Root", #1 does not indicate a need for the affected CA
> to submit the bug report. Instead, this section implies that anyone can
> submit it. This is different from "Add a Trust Bit" and "Enable EV",
> both of which state in their lead sentences that the affected CA submits
> the bug report. If this difference is intentional, there should be no
> implication; an explicit statement is needed. For example, #1 could
> read: "Any individual may initiate the request."
> Under "Disable a Root", the second subbullet under the first bullet of
> #3 is not worded in parallel with the first subbullet. It looks
> strange. Perhaps, it should be "Whether the root certificate should be
> removed from NSS instead of unsetting trust bits." (In the first
> subbullet, "trust bits" should not be capitalized.)
> Under "Disable a Root", the fourth bullet under #3 is not clear. Where
> it says " ... a qualified representative of either the CA or Mozilla has
> ... ", is the qualified representative of Mozilla distinct from the
> Mozilla representative cited at the beginning of the sentence? I think
> it should be; that is, it should take at least two senior Mozilla staff
> memeber to disable a root if the CA is not in agreement.
> In #4-6 under "Disable a Root" (referring back to my comment immediately
> above), to which representative of Mozilla do these refer?
> In #7 under "Disable a Root", are you able to unset a trust bit in a
> root certificate that is already installed in a Mozilla-based product on
> my PC? That raises the question under "Add a Trust Bit": Are you able
> to set a trust bit in a root certificate that is already installed in a
> Mozilla-based product on my PC? What if I have already changed a trust
> bit in my own configuration to a value different from the way it is in
> the controlled NSS database?
> Under "Disable a Root", the same comments for "Disable a Root" also
> apply. Regarding the comment about unsetting and setting trust bits for
> "Disable a Root", I question whether you are able to remove a root
> certificate from my own PC's configuration. What if I have added a root
> certificate that is not in the controlled NSS database? If you do
> indeed remove a root certificate from my PC and I then add it back into
> my configuration, can you later remove it again?
