Gervase Markham wrote:
Right. But if I promise you a pony, it doesn't mean you'll get one.
Sure, but if a false promise might have some consequences, you'll think
about it twice, if you it's worth promising me a pony, if in fact it is
a donkey ;-)
There's a fine line to walk between strait-jacketing the CAs into a
single set of verification practices (which is unworkable, given
country variations) and having it so loose that there's leeway for
cheating. Writing such a standard is not easy.
Good comment! Lets work on this...
It's very clear about some simple, baseline things like domain control
verification - and there aren't very many ways to do that. When you
get on to verifying organisation names and companies, things get much
more complicated.
Agreed, so "complicated" doesn't mean "unsolvable"...
But this discussion would be less abstract if you were to come up with
a more detailed proposal, that gave (for example) the definition of
what would be required for a Level 3 certificate.
There is a reason, why we didn't include any further details. We didn't
wanted to have the discussion concentrate on the details itself in the
beginning, but on the general idea. Just imagine I'd have proposed A as
sufficient for level X and all would have gone upside down.
I'd rather suggest to go baby steps:
Supposed the participants think, that this proposal is worth to be
investigated further and is generally a good idea which should be worked
on (it doesn't mean that it has to be implemented, but certainly
evaluated better), then we can continue to the next step and start to
define portions of it. I guess, that defining the levels will be a
really fun thing....with a lot of ideas and opinions ;-) Having said
that, I expect to have some involvement by others....this is not going
to be a solo show...
It is. Auditors make sure you are doing something you have committed
to do. That is their job. And that's exactly what we want.
OK....and as I said, in that respect there is no change...
In such a case, a CA would have to live up to their claim! I suspect,
that a CA wouldn't take on a higher level, because of the promise
involved. First of all, should a problem arise, the CA would be
responsible up to the level it assigned the certificate.
In what way would they be responsible? Does your proposal include
liability? If so, how much, and under what circumstances?
I suggest, that Mozilla must have a clear policy what it will do under
such circumstances. Liabilities are covered by the respective CA policy,
but assignment of a certain level could be used by a subscriber and/or
relying party as a prove for court. But of course this is something we
will have to work on as well.
OK, now this is actually a very good case for our proposal! First of
all I'd like to point out, that the certificate signed by XRamp might
be a domain validated only certificate - I couldn't figure it out
(Another good reason why we need the levels).
I'm told it's OV; if you can show differently, that would be interesting.
As I said, I don't know...(If the certificate would have an OID, than we
could know it easily ;-))
However the second certificate was issued by Comodo Class 3 and in
common practice at CAs would have to be a fully verified certificate
(similar to EV, i.e. Class/Level 3). Obviously this is not the case
here, which is why we *need* to have our proposal implemented!
How would your proposal prevent this happening?
No-one lied to get that certificate. The company named in it really
exists. To reduce the incidence of confusing O fields, you need a
standard for exactly what can be put in it. Like, er, the one EV has.
What I saw in the certificates aren't any organization names, but just
names. It is obvious that these certificates weren't validated at all.
The company exists, but the the ones "owning" the certificate aren't the
company in question. Except that, yes Gerv, Class 3 validation is
similar to EV as I see it (to say the least) and there isn't much new
about it...The problems which I have with EV isn't about that and you
know it...
And I have to say it once again, that EV is part if our proposal if it
will be implemented. It will receive its rightful place in this
structure! It doesn't discriminate EV....but it will be part of the
structure and simply won't have exclusivity. You see, this is why we
didn't wanted to define the levels too much for now, because this should
be really up for discussion.
In case of the Comodo certificate, they couldn't have marked it as
Level 3 (as the issuer certificate might indicate) and if they'd have
done that nevertheless, it would have been a breach of contract (That
between Mozilla and the CA).
Why, exactly? What did they not do that they should have?
Supposed this was Level 3, than it should have been validated. As I
understand it, they weren't validated at all (only domain).
Right! But Mozilla can provide the foundation and framework for
having certificates marked correctly. The Mozilla CA policy can be
the definition (Call is standard if you want). The CAs get audited as
before and the subscribers and relying parties (i.e. the public) are
the people making the judgment (with the help of a good UI). When
thousands of people are able to know about a certificate a lot more
than today - with a clear definition in place - no CA will dare to
cheat.
I just don't see that world ever happening. Most of the planet has far
better things to do than learn about certificates and CAs.
Supposed the UI is able to make this visually easy to see and/or the
required information is easily accessible, than this might just work.
Except that, also not every user is your mom.... ;-)
Because they agreed with me that there was no possibility of imposing
standardisation on the existing product set.
Really? :D
Firefox has a market share of something like 15% worldwide. Not a
majority, but not to be sneezed at either.
So I have some good news for you...In Europe, specially Germany the
market share is sometimes more than IE. I always like that one too:
http://www.boingboing.net/stats/#browsers (This site isn't a geek site
or so...in the US I think...Firefox had less than 10% about 2 years
ago...enjoy :-))
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
