Gervase Markham wrote:
So if Mozilla is not showing a particular level, and the CAs are not selling certificates at a particular level... what's the point of having the level?
Here a few examples:- Supposed Mozilla would like to have a fine-grained level system of eight levels (I'm not proposing that!), it could however decide to show only four of them in the UI. - Or more in line with our proposal: Level 4 would only be shown in client software such as Thunderbird and treat it as Level 3 in the browser. - Or: Level 0 which was explicit accepted by the user has the same indicator as Level 1 in the UI.
If "nothing" is domain validated (Level 1), than I agree with you. This would certainly improve the whole thing a lot.Four levels is also complex to indicate. Three (something like "nothing", "shop", "bank") is possible, but has also been objected to as too complex. I personally think three is the sweet spot.
Right, that's why I propose to let CAs explicit agree to the Mozilla CA policy as the only agreement between the CA and Mozilla, removing any implied or other form of understanding (if at all). Making things very clear, helps to avoid future problems.No! The Mozilla CA policy says clearly, that there is no commitment and a CA root can be removed. It's part of that contract anyway! No problem here...It says that; that doesn't necessarily mean a CA wouldn't win a lawsuit if we removed their root and they sued. There may be an implied contract.
We both agree that it's one for the lawyers; my point is only that you cannot assume that we can definitely have a one-sided contract with a CA.Mmmhh, one-sided or not, this is what agreements are here for. Except that, the CA wants something from Mozilla and not the other way around. Mozilla explains its terms and conditions, the CA doesn't have to agree to it. Take it or leave it, Mozilla is not forcing any CA....But lets have the Mozilla lawyers go over this....
(I can here some of you saying: "Ohhh... and what if Verisign or Thawte don't agree to it? We can't do that...". In such a case, Mozilla would have to ask itself some really hard questions...)
That's right! But the audit confirms exactly that (in your example, no verification). The CA will have to mark its certificates compared to its policy which was audited accordingly. In this case, the CA couldn't mark any level and would not be accepted into the NSS certificate store at all. In short: The audit *confirms* the various verification procedures of the CA. Period. Now all the CA has to do, is to find the appropriate level for each verification method. That was the starting point of this issue.Wrong! The audit confirms every type of levels, classes and verifications a CA performs (implied by the CA policy and practices). Your first statement contradicts the second one.No contradiction. Focus on the word "minimum". If you say you will do no verification at all, and you actually do no verification at all, you pass the audit.
Right, which is certainly not good.I agree with your statement above completely! But if we are at it, lets improve the whole thing and take the lead for a overall improvement. In that respect, also EV will receive it's rightful position in this hierarchy.The difference is that your proposal is not an attempt to improve the (in my view, poor) quality of information embedded in current certs - it's just an attempt to assign a set of numbers to the status quo.
Oh, you know that one ;-) : http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/A public source? A URL?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
