Frank Hecker: > This brings up a point that was implied by my previous comments in > response to Eddy, but that I want to make explicit: > > IMO the reason why we have a CA policy is *not* because the Mozilla > Foundation wants to be or needs to be the "CA police", tracking down and > punishing bad deeds of CAs, and motivating them to behave better. We > have a CA policy because SSL sites exist and are accessed by typical > Mozilla users, because those SSL sites require CAs to issue them > certificates, and because we need some sort of baseline policy by which > we can balance inclusion of CA root certs (to make SSL "work") against > potential security concerns of doing so. >
I think I also agree with this statement, but I'd like to refine it a little bit. Here some examples about what I think is reasonable: If we require auditing of CAs and their CA business (all of it), than we should insist on it across all CAs. Auditing via proxy or partly isn't a good thing to suggest, nor should CAs themselves act as auditors. If our intent is to prevent MITM attacks and eavesdropping by requiring at least domain / email validation we should make sure that the practices remain reasonable. If this is circumvented in some way, than we should act upon it. I view this as one of the basic security requirements we own to the users of Mozilla. If our intent is to prevent phishing attempts by disallowing certain name patters of domain names which can mislead users easily we should think about how this affects wild card certificates. I don't think this has something to do with "CA Police", but with defining and implementing a certain policy. The policy is here to protect Mozilla's users to a reasonable extend. > In the thawte case you cite, thawte changed its practices to start > issuing DV certs from a CA hierarchy not previously used for that, but > its practices were still within boundaries outlined in our policy (which > does allow issuance of DV certs). So I don't really see a security issue > here in terms of how this would affect typical users Even if it's annoying, CAs are free to change policies within certain boundaries and limits as long as they don't cross the Mozilla defined requirements. In that respect there isn't much Mozilla can do in the example from Thawte (even if it's true), instead the subscriber and/or relying party should complain directly to them. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
