On Tue, 7 Nov 2006, Gervase Markham wrote: > Robert Sayre wrote: > > We will probably arrive at this state if we are at all serious. We need > > to have a clear definition of "obvious disregard" and the consequences, > > so the event doesn't become a negotiation. > > Well, it's never a negotiation, because we have unilateral power :-)
I wish CAs believed that were the case! I think some of the skepticism you are encountering in this discussion is skepticism that Verisign and other CAs will actually feel any pressure. Right now, they have most of the power and Mozilla has very little, because Verisign has a monopoly and Mozilla does not. If Mozilla removed Verisign from its root CA list, its users would probably switch to IE. When Verisign issues a bogus certificate -- as it has in several cases -- it should suffer real consequences: legal action, financial penalties, temporary decertification. Users should be made aware if they are relying on certificates signed by an incompetent CA (e.g. "Warning: the agency that certifies this site is known to have issued misleading certificates.") An effective revocation mechanism, temporary or permanent, for CAs and for individual certificates, would probably help to some degree. But, as i said, right now Mozilla doesn't seem to have the power to hold Verisign accountable for its errors. It would be good to find ways to hold CAs more accountable. Part of the problem is that the structure of PKI strengthens monopolies: as a web user, you don't have the option to choose which CAs you trust. When you go to a bank website, you only get a signature from a single CA -- take it or leave it. In that position, you can't exert any competitive pressure on CAs. The power balance might be different if the SSL protocol turned this around: browsers and browser users select the CAs they trust, then the browser tells the website what CAs it will accept and the website must present an acceptable certificate. This would encourage websites to get certificates from many CAs, hoping to meet the standards set by the users. -- ?!ng _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
