Gervase Markham wrote: > My definition of a "sucky" code signing cert is one in which the > information inside about the owner of the cert isn't accurate.
It's a bad definition of a "sucky" code signing certificate. You don't care *who* the owner of the cert is. What you care about is if he intends to use his signing cert to distribute spyware extensions. And his identity tells you nothing about that. Cf http://www.schneier.com/crypto-gram-0402.html#6 "In an ideal world, what we'd want is some kind of ID that denotes intention." "This is, of course, ridiculous, so we rely on identity as a substitute. In theory, if we know who you are, and if we have enough information about you, we can somehow predict whether you're likely to be an evildoer" Schneier then goes on explaining how this doesn't really work in the real world. But here you're lower that that, you only have the identity, and nothing to base upon to predict if the owner is likely to be an evildoer. And when I say that you have the identity, I'm being generous. I'm afraid with certain CA a personnal code signing certificate only proves the credit card transaction made to obtain it has not yet been repudiated. Or that you have not yet found out it was charged on a very recent bank account opened with a fake ID. What you'd really want is some process to review the requester (or his code) before granting him the code signing certificate. You would want to freely customize that process to find out what works best, what the best compromises are between convenience and security. But we know in advance no process with be perfect. So what's really important is to have the absolute garantee that his certificate gets revoked as soon as you decide it should. And very efficient dissemination process for revocation information, relying on the user downloading tens of crl from various CAs will never fit the bill. All those things will work infinitively better with a private certificate authority than with the various public code signing authorities that exist. Also about the worldwide identity vetting and validation, they are few public certificate authorities that really can do that. If really needed, I think it would be easier for the mozilla community to find a recognised community member to do face to face authentication on almost any place on the planet than for them. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
