Henrik Gemal wrote:This thread is really interesting because the $150,000 to put a root in Netscape/Mozilla is a bit steep. Sure we want to ensure that a vendor is really serious about keeping with their Certificate Practice Statement and liability, but for a non-profit type cert chain (like what Higher Education would like to build) that's a SERIOUS hunk of cash.
Sounds really really strange... How did you talk to?
You mean who? I created a bug report (http://bugzilla.mozilla.org/show_bug.cgi?id=196059) and was told to contact Stephane Saux at Netscape, which I did.
Georgia Tech is using a CREN rooted certificate (see http://www.cren.net) which is what we hope to be the basis of a Higher-Ed PKI infrastructure for our certs and we're also forced to manually ask users to include it because the $150k pricetag is just something that won't happen.
Luckily, the manual process of getting a customer to get a root into the store isn't all that bad and custom configurations of Mozilla/Netscape from what I understand aren't out of the question (just have your users install your package if having them download the root is too much of a hassle).
We're beginning a phase of using our root to sign server certificates that will involve a KNOWN customer base so we can educate them on how to install our root cert into their browser. However, when you think certificate distribution, you also have to think of the myriad other browsers (Internet Explorer, Opera, Chimera) as well as the idiosynracies of each browser on EACH OS (for example IE on the MAC really doesn't play because Mac can't use ActiveX which is IE's main certificate manipulation routine and the file associations and application-types don't seem to be handled in that browser).
At this time, building a custom PKI outside of the current arrangement of Mozilla/Netscape be involves one of the hardest things to accomplish: The Education of your users. Not only education, but you also have to crank down on exactly WHICH clients (and VERSION) and what OS you are going to support.
As an aside, PKI in itself can be a complicated technology with things "not quite working" as they should especially in the differences between RFC and reality.
Mozilla is the BEST cross platform solution for a custom PKI at this time (in my experience) because it all works across each of the OSs in the same way. Dunno about Opera because I haven't buckled down and done experimentation yet. What am I going to tell those IE users on the MAC? Sorry, either use a client that works or don't use our services.
My curiosity is what the relationship of Mozilla to Netscape in regards to the handling of who gets into the root store of an open source project? What Netscape does or doesn't keep inside their root store is their business. Perhaps it has to do with $$...dunno. I think Netscape has the right to charge $150,000 but I'm curious that if you only wanted it distributed only in the Mozilla builds, there should be some procedures that don't chew an outrageous cash amount.
I am sure I don't understand the relationship of the two well enough to begin to speculate.
Happy Friday! - John Douglass, Georgia Institute of Technology http://papyrus.gatech.edu http://ca.cren.net/papyrus
