On 17/12/08 12:42, Kyle Hamilton wrote:
I would very much like to see the implementing regulations that they
think causes them to need a new root rekey every year.
Yes, worthwhile to ask for that, because it will prepare the ground for
the other German CAs.
But... ....... and would also violate the archival principle
(that signatures of archived documents can be verified via the
presence of a timestamp from a reputable timestamping authority and a
trust anchor which still needs to be available).
Yes, to recall an unpopular claim of mine: digital signing where it
attempts to mimic human signing should be deprecated in poorly
architectured applications like S/MIME. For reasons just like these.
(BTW, where is this "archival principle" documented?)
To make matters worse, even if you wanted to follow my unpopular advice
there, the European experiment is designed precisely for this market:
digital human signing by "qualified certificates".
Hence, if you enter this area, you should do things *their way*; the
signatures will be contested in European courts by European lawyers
under European laws. If Mozilla doesn't work within the framework, then
there could be problems...
And to recall another unpopular suggestion: Mozilla should clarify the
agreement it has with end-users, and with CAs, so as to set the
liabilities in advance, in preparation for these cases.
Until the regulations are produced, I am STRONGLY AGAINST these roots'
inclusion. Even after the regulations are produced, I'm still very
likely going to be against it, though I am not stating absolutely "no"
at this time. (They may actually have a reason that I'll accept. I
doubt it, but I'll hold out hope... if for no other reason than to
point and laugh at the German government when they express a
completely unfounded fear.)
It is perhaps fun to laugh about the silly Germans ... but consider:
their digital signature project is very serious, it is strongly
supported by the tax authorities and they fully intend for tax
submissions to be signed. They have already passed or attempted to pass
the legislation to make this so.
Also, Germany is heartland for Mozilla. There are more supporters there
than other places, in general.
If I were able to commit Mozilla to any future action, what I'd do:
Refuse their request and inform them to tell their regulatory agency
to get in touch with Mozilla and other browser vendors to understand
why it's an unacceptable burden. Those regulatory agencies need to
get input on "best current practices", and help to figure out how to
rewrite the regulations so that they don't impose such a burden on the
browsers.
Law trumps standards committees, best current practices, help from
browser vendors, etc.
Also, bear in mind that Mozilla has expressely and deliberately
outsourced this question to their standards committees. It is in the
mission statement. Mozilla has already declined a role at this table.
This is why I say "be careful what you wish for..."
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
