Hi Michael, Michael Ströder wrote: > Eddy Nigg (StartCom Ltd.) wrote: >> The issuing CA of a root certificate is *supposed* to be responsible for >> its sub CAs naturally, however as a user of Mozilla software I want to >> be *assured*, that this is indeed the case. >> > > There is no way to assure that even in the case of EV certs.
I think this claim is somewhat bold. Supposed that all issuing CAs are going to be audited and re-audited again, this should give us reasonable assurance. I know what you are saying now....one hand shakes the other with one common interest, which is money. Well, that's just a reality we are living in....we can't be reformers of the world, but we can try to define certain aspects which are important to us and try to enforce them. That's as far as it gets I guess.... > IMO EV is just marketing, yet another cash cow with even higher prices per > cert. > > Yes, I can't agree more with you. I have been commenting about this a lot and I believe that (PKI) security should be affordable in order to become mainstream. But again, that's the reality now and we have to take care that the promises are kept. This is our responsibility! However I'm afraid in seeing already a devaluation of the quality of these certs and if one makes the math carefully will realize that there will quite some losers on the way... > No way. IMO you don't have a chance to detect violations of the policy > even for the root CAs. > > Mmmh, and why not exactly? > In practice every employee of a CA is made to lower the bar by his > management because others do it as well. Then EV was invented as a > higher level of trust. I wonder why there was a need for this if the CAs > already did a good job before? > Well, yes...we don't need EV in order to have CAs perform a good job, not then and not now. But it also depends a lot on what the requirements are, since not every site needs EV, not even IV/OV. I think that there were shortcomings by the browser vendors who for too many years stayed with that stupid lock icon instead of presenting different levels of verifications. However there is only one software vendor to blame for that stagnation as with most things in this specific field, since there simply wasn't any competition going on. Luckily this has changed by now and the results can be felt. BTW, FF3 looks great in this respect and I hope we can do even more soon ;-) > > Well, the relying party is the weakest piece in this puzzle. PKI > business suffers because the RPs don't care. > Also true, but things are changing and a new generation is growing. One which will understand basic elements of security better. I think that the current development of the browser(s), specially Firefox, is contributing to that effort. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
