Why should money be such an entry criteria?
I didn't say it should. I didn't mention money ANYWHERE in my original post, so it's off topic in this thread. I've proposed AICPA (or similar third party) attestation, not money, as the criteria.
> And if Verisign can make such blatent mistakes we have heard about,
Let's keep all the complaints about your competition out of this entire discussion. They don't build CaCert's credibility.
In other words a CA trying to be acredited by AICPA can lie through their teeth on their CPS/policy statements,
AICPA is supposed to be about independent auditing of practices by professional auditors (they're CPAs, remember). IF they accept unaudited statements, then IMO their "attestation" is not worth anyting. But I do not know that they accept unaudited statements. I rather doubt it.
I agreed with Frank about pre and post, after all if there is no wacking stick there is no incentive to be a good corperate citizen.
OCSP for check revoked CAs sounds like a pretty good idea to me, it would reduce the time that any breaches could spread.
The crucial piece there is that some company hsa to take the liability of being the Uber-CA for that to happen.
Well SSL shouldn't be trusted as the sugar coated version some companies put out,
What does THAT mean? And what has it to do with this topic?
Lots of people have misconceptions about SSL, or more specifically, the lock icons in their browser and/or email clients. They think "lock means I'm dealing with a trustworthy merchant", which it never meant.
> The security itself is fine, but the actual CA processes, well unless > there was an indepth study, something I doubt Frank or many have the
time to do on a volunteer basis, then we are all in serious trouble,> see above with my comments about AICPA.
Also why should ssl be consider purely about ecommerce,
Who has suggested that it should? Not me.
> there is no dollar value in me using SMTP-TLS,
Indeed, some would suggest there is no value in it at all. SMTP-TLS only encrypts accross one mail hop. SMIME encrypts end-to-end. Or were you thinking of IMAP-TLS or POP-TLS?
however it's been more then proven home cable networks and wireless
> networks are extremely vulnrable to sniffing, CAcert sprung up to help > provide end to end encryption for connections over wireless
networks, and not just for web pages...
Today's PKI software (from numerous sources, not only mozilla) allows the user to choose the purposes for which s/he trusts the CA. But the granularity of the purposes is rather coarse, e.g. one axis is {SSL, S/MIME, code signing, ...} another axis is {data signing, certificate signing, CRL signing, data encryption, key encryption, ...}
All certs that are trusted for a particular use (e.g. SSL) are trusted
EQUALLY for that purpose. So, it is not presently possible (with
mozilla) to trust a cert for POP-TLS, but not for HTTPS. Similarly, it
is not possible to trust a cert for "everything but banking" as some have suggested, with the present PKI software. It would be feasible to add additional details to user trust to PKI software. A user could state
"I trust this CA for everything but banking", but ther there would have
to be some means by which mozilla could tell when the user was trying
to achieve banking, and I rather think that's infeasible. You visit
your friend's web page, and he redirects you to your bank's web page.
How does mozilla know whether you're banking or not?
So, as long as all CAs that a user trusts for SSL are trusted equally, and until some other basis for segregating applications is established, all SSL ROOT CAs need to be held to the same standard.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
