As seen in http://bugzilla.mozilla.org/long_list.cgi?buglist=215243 mozilla.org is now wrestling with the topic of how to choose which root CA certs to include, and which not to include, in the mozilla open source.
My guess is that lawyers will have a lot to do with the selection. :( But IMO it would still be good if the mozilla community could come to some agreement on certain issues, such as:
To what standard should CAs be held to be added and remain in mozilla's built-in list of trusted root CAs?
It is erroneous to assume that such criteria would be the same for all users of Mozilla (or any other "tool-class" software
package). Consequently, the list must be implemented as a
"proposal only", subject to acceptance (and easy intervention)
by the end user.
It is indicative that the designers of many crypto systems will give the end user a choice of the algorithm. Choice of root cert organizations is even more dependent on the "who can I trust" question that only an individual user can decide.
BTW, another thing that would significantly improve the security model of all browsers would be a MO where the finger of the site's public key is automatically displayed for confirmation.
Roger
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
