I didn't say it should. I didn't mention money ANYWHERE in my original post, so it's off topic in this thread. I've proposed AICPA (or similar third party) attestation, not money, as the criteria.
Yes and since when does AICPA do these things for say less then $75,000 to $250,000 ? If that's not a monetary entry requirement I don't know what is?
Let's keep all the complaints about your competition out of this entire discussion. They don't build CaCert's credibility.
Frank brought this into the discussion by pondering about what should happen to CAs if they breach trust, I think this is very valid to CAcert because if it is accepted they both share the same fate.
The crucial piece there is that some company hsa to take the liability of being the Uber-CA for that to happen.
revoke certificates would need to be supplied if a breach occurs, however things could be done in a manner without needing a overseeing CA that signed all the sub-CAs, just some method, similar to the windows update even and how they pushed out a revoke.
What does THAT mean? And what has it to do with this topic?
That was in response to your comments about the articles I posted...
Lots of people have misconceptions about SSL, or more specifically, the lock icons in their browser and/or email clients. They think "lock means I'm dealing with a trustworthy merchant", which it never meant.
And how did they come by that misconception if it wasn't a sugar coated version pushed by certificate companies?
Who has suggested that it should? Not me.
Not true, you're stating people are pushing for this inclusion because they want free certificates, and if they shouldn't be allowed free certificates then obviously there is a money incentive for them, so why shouldn't certificates be free where possible then?
Indeed, some would suggest there is no value in it at all. SMTP-TLS only encrypts accross one mail hop. SMIME encrypts end-to-end. Or were you thinking of IMAP-TLS or POP-TLS?
I use both actually, but I gave reason for using SMTP-TLS, I also use SMTP-AUTH and what better way to protect the password then with TLS on both SMTP and POP3?
Today's PKI software (from numerous sources, not only mozilla) allows
the user to choose the purposes for which s/he trusts the CA. But the
granularity of the purposes is rather coarse, e.g. one axis is
{SSL, S/MIME, code signing, ...} another axis is {data signing,
certificate signing, CRL signing, data encryption, key encryption, ...}
Also the warnings about why a certificate isn't trusted (eg self signed) is also rather course...
All certs that are trusted for a particular use (e.g. SSL) are trusted
EQUALLY for that purpose. So, it is not presently possible (with
mozilla) to trust a cert for POP-TLS, but not for HTTPS. Similarly, it
is not possible to trust a cert for "everything but banking" as some have suggested, with the present PKI software. It would be feasible to add additional details to user trust to PKI software. A user could state
"I trust this CA for everything but banking", but ther there would have
to be some means by which mozilla could tell when the user was trying
to achieve banking, and I rather think that's infeasible. You visit
your friend's web page, and he redirects you to your bank's web page.
How does mozilla know whether you're banking or not?
You're stating Mozilla shouldn't take a role in the verification process then turn around and say they should in a purpose process? isn't that 10x more problematic then the inclusion in the first place because you're then making express statements about the purpose, rather then if the policies are demd acceptable.
So, as long as all CAs that a user trusts for SSL are trusted equally, and until some other basis for segregating applications is established, all SSL ROOT CAs need to be held to the same standard.
I agree, which is why I posted the above about verisign, if they are not held accountable for their actions the same as any other CA, what incentive is there for them to behave correctly?
Also I might add you're some what a little controdictory, firstly you work on a non-profit association and promoting a browser as a better then commercial offering technology, then you try and push commercial certificate authorities as a better offering then non-profit one, surely after being involved with this project I thought you'd be a little more open to the idea, but instead you're doing everything possible, even blatently stating things multiple times which I've refuted completely, and still go all out to crucify us, yes you have valid points I agree with, and we are trying to work within the limits of our abilities, mostly monetary to comply with everything you've asked for yet you are trying so hard to have the bar set so high only commercial organisations seem good enough. If that's not completely and utterly hypocritical in your book I don't know what is.
We are more then happy to work with you and any other developer anywhere to make you satisfied our policies, and the way we operate works within the bounds of those policies, but you are coming out in an agressive manner simply dismissing us, on what can only be described as the 11th hour to sink us, when you've had ample time since August last year to post all comments and needs for more documentation, policy information, or anything else for that matter.
I'm sorry I've ranted on a little here, but several people have noted the agressive, and hypocritical over tones in your postings, weather they're intentional or not that's how people are perciving them.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
