On 19/12/08 03:45, Nelson B Bolyard wrote:
According to my mail client, Ian G wrote on 2008-12-17 04:11 PST:
[paraphrasing liberally:
Europeans let their legislatures do their engineering.]
A fair comment, but it isn't as one sided as all that.
Lot of countries have created their own legislation or regulation for
security software, and then sat back and waited for others to implement
their designs ... and waited ... and waited ... and waited ...
Governments indeed have discovered that they are just players in the
market when it comes to Internet. Sometimes weak, sometimes powerful.
This may well be just another case.
It may well be, granted. The point I would make is that if QC is going
to succeed, then the place to watch is Germany. Just an opinion. They
are the ones who care the most *and* have the most weight.
(It is actually further along in some other places, like Estonia, but
they have no weight.)
But, I agree with you that it is still an "if" not a when.
Now, what do you do about it? Mozo is in a difficult position.
No, not a bit. The governments in most countries are accustomed to being
obeyed unquestioningly. They act astonished when NONE of the popular
browsers implement the requirements they try to impose. Tsk tsk.
It isn't about being obeyed, so much as getting changes and bug fixes
done at the architectural level and above.
If you go to the CAs there, they will likely not appreciate your
perspective on the problem. Their perspective on the problem for them
comes from their regulations. They've spent the last N years building
up to get that done. They only come to the browsers as a last step.
Mozilla (indeed, all browsers) have successfully ignored lots of silly
regulations from individual countries. A good example of that is
regulation that requires the CAs in one country to put into their certs a
monetary limit on the financial value of the transactions done that use
those certs, a limit using the nation's own monetary units, and to require
any software that uses those certs to dishonor those certs until they are
prepared to enfore those limits. Mozilla software happily dishonors all
those certs. There are other examples as well.
Sure. Easy one. Were they marked as critical extentions?
As we have discussed in this group before, Mozo's principle is to pass
these questions across to the standards committee.
For sake of argument, this would be the PKIX committee.
Wrong, but nice try.
If we agree to disagree that could be as far as it goes.
On the other hand, you could state what it is that you feel that is
wrong in the above description ... and we could explore and learn.
I'll go first: when we had a debate about revocation of the root, you
finalised that debate by accepting that there was a problem, and that
PKIX was the place for it to be fixed. It wasn't up to Mozo. Hence, I
mention it above.
In the mission of Mozilla, it states that we follow the standards
process. And, this includes security.
With respect, which part do you believe is wrong?
However, national law trumps standards committees.
LOL.
You may laugh, but the CA in question is not enjoying the joke.
I wish it were different. But, it isn't.
So, some country says "our citizens must use browsers that do this",
and no browsers do this, and eventually the country realizes that they
must relent or else have their citizens live in the dark ages.
Yes, that is what happens. In China, Skype has to ship a special
version with some secret MITM in it (speculation, I don't know what it
is). Likewise in ebay and yahoo, they both had to make global changes
because of the French. If you look at Paypal and SL there are similar
problems, caused by governments. Probably you recall the old days where
Netscape had to ship in two different versions because of the USA
government.
Please don't interpret my words personally, I play the other side to
explain things, not to start arguments. I also don't like the fact that
Skype has to breach the security of users. I also don't like qualified
certificates, and have written elsewhere much against them.
What to do about these things is a much more complex problem.
Eventually
they relent. That's what happened to the requirement about the monetary
limits in certs. The monetary limits are still there, but are now marked
as saying that the software that uses those certs is now free to honor those
certs even if it ignores those limits, and browsers all do so.
Yes, that was an easy one, the design was borked from the start, like
that RFC that Anders posted.
Mozilla doesn't seem to have had to deal with the hard choices here, but
the CAs in question do.
Getting back to the only issue I can recall, from Frank's original mail:
> * Per German law S-TRUST issues one new root
> CA certificate for every year, with each root
> cert having a 5-year lifetime. Thus they are
> currently requesting inclusion of four root
> certificates, for 2005 through 2008. Starting
> in 2010 the older root certs will begin to
> expire and we can remove them.
If this is it, I would wonder whether it is worth fighting. What's the
problem for Mozo?
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
