The browser /can/ know the difference. Remember, not every bit of metadata about an issuer has to come from the root certificate itself. (This should be obvious as far as EV is concerned -- StartCom's EV root says that it's EV, but until Mozilla adds the metadata for EV, it's not EV as far as the browser's concerned.)
That difference /can/ be communicated to the end-user, unobtrusively. I think that separating out the nss team (those who are actually passionate about cryptography, and hopefully know about how to use it and what its limitations are) from the security team (those who are operating from completely and hopelessly useless models and are too afraid of "user acceptance" issues to fix them) was probably the most short-sighted thing that Mozilla could have done from a security standpoint. -Kyle H On Tue, Dec 30, 2008 at 5:23 AM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 12/30/2008 01:43 PM, Ian G: >> >> Most all certificates carry no warranty or have zero liability >> disclaimers. Of course the words may differ, but even EV Guidelines >> permit the CA to set zero liability, except where it shown that the CA >> is at fault, and even that may be limited to something fairly tame given >> the market they are heading into. > > > The browser does not know the difference! A certificate is a certificate is > a certificate. I don't want to demonstrate it again to prove my point due to > protect the private key of the mozilla.com certificate. Your analyzes are > not relevant for the browser - hence not relevant for the relying party (and > in this case Mozilla). This could have been literally ANY organization > instead. It could have been somebody else than me interested to disclose > publicly. It could have been multiple certificates, nothing would have > prevented that. And it would not have protected the CA from claims. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
