On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <d...@gentoo.org> wrote: > On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman <ri...@gentoo.org> wrote: >> The certificates that Gentoo distributes have at least been vouched >> for by somebody who is a part of our community, which is more than can >> be said for most of the upstream certificates. > > And you think "vouched for" by some community member is better than > Mozilla's audit process, however limiting it may be? > > Yes, the CA system is broken, but it's what we've got for now. It > seems obvious that including fewer CA roots in our base package is a > better solution than including more of them, since (a) it's pretty > easy for our users to install more of them, including at scale (via an > overlay), and (b) actual security of a CA probably goes down > exponentially as you move towards CA's with a lower level of trust > placed in them by organizations like Mozilla. > > Speaking of which, say what you will about Mozilla's broken criteria > for root inclusion, but Mozilla has no commercial interests,
Wait, what? How does taking income during a process not constitute a commercial interest? That money goes to something that's in the interest of the Mozilla Foundation, whether it's paying for infrastructure, paying for developers to do their thing, sponsoring this, that or the other thing... Without money Mozilla wouldn't exist, ergo Mozilla is interested in money, ergo taking money in exchange for bundling a root cert carries its own interest outside of the security properties of bundling the root cert. So if Mozilla has an interest in cert security, and an interest in money, than including certs for money carries with it an inherent conflict of interest. Such as the world is, things cannot be done without money to exchange for goods and services, so any entity with interests beyond money needs to manage such a conflict, one way or another. So, the question comes around to how well the entity manages that conflict of interest, via things like ombudsmen or independent (how?) audit processes. Or how it's managed for them, via things like reputation. (And it sounds to me like Rich is making a strong argument about the reputation angle, both in favor of vouching, and for observing security problems with people Mozilla still bundles.) (That's all I've got for this thread. Going back to lurking.) -- :wq
