> On Sat, 07 Feb 2004 14:28:44 -0800, Nelson B
> Yes and since when does AICPA do these things for say less then $75,000 > to $250,000 ? If that's not a monetary entry requirement I don't know > what is?
Suggest another method of indepenently audited practices?
>> The crucial piece there is that some company hsa to take the liability >> of being the Uber-CA for that to happen. > > revoke certificates would need to be supplied if a breach occurs, > however things could be done in a manner without needing a overseeing CA > that signed all the sub-CAs, just some method, similar to the windows > update even and how they pushed out a revoke.
You didn't speak to the liability issue.
>> What does THAT mean? And what has it to do with this topic? > > That was in response to your comments about the articles I posted... > >> Lots of people have misconceptions about SSL, or more specifically, the >> lock icons in their browser and/or email clients. They think "lock >> means I'm dealing with a trustworthy merchant", which it never meant. > > And how did they come by that misconception if it wasn't a sugar coated > version pushed by certificate companies?
Most mozilla users are UNAWARE of the EXISTENCE of CAs. They haven't read anything from CAs, much less any sugar coating.
>> Who has suggested that it should? Not me. > > Not true, you're stating people are pushing for this inclusion because > they want free certificates, and if they shouldn't be allowed free > certificates then obviously there is a money incentive for them, so why > shouldn't certificates be free where possible then?
Did I say ANYWHERE that people should not be allowed free certs?
I said that the criteria has to be about the security, NOT THE COST.
>> All certs that are trusted for a particular use (e.g. SSL) are trusted >> EQUALLY for that purpose. So, it is not presently possible (with >> mozilla) to trust a cert for POP-TLS, but not for HTTPS. Similarly, it >> is not possible to trust a cert for "everything but banking" as some >> have suggested, with the present PKI software. It would be feasible >> to add additional details to user trust to PKI software. A user could >> state >> "I trust this CA for everything but banking", but ther there would have >> to be some means by which mozilla could tell when the user was trying >> to achieve banking, and I rather think that's infeasible. You visit >> your friend's web page, and he redirects you to your bank's web page. >> How does mozilla know whether you're banking or not? > > > You're stating Mozilla shouldn't take a role in the verification process > then turn around and say they should in a purpose process?
Nowhere did I suggest that the mozilla organization should evaluate certs for purposes. I suggested that the mozilla browser software could enable users to choose for themselves which CAs they trust for purposes such as banking, but that this woudl require that the mozilla browser be able to determine which of the user's defined purposes was applicable to a particular action. How does the browser know if you're trying to do banking or not?
>> So, as long as all CAs that a user trusts for SSL are trusted equally, >> and until some other basis for segregating applications is established, >> all SSL ROOT CAs need to be held to the same standard. > > > I agree, which is why I posted the above about verisign, if they are not > held accountable for their actions the same as any other CA, what > incentive is there for them to behave correctly?
> Also I might add you're some what a little controdictory, firstly you > work on a non-profit association
Like many mozilla contributors, I am paid to contribute to mozilla's source (among other things). My employer is not one of your competitors, AFAIK.
I do not speak for my employer, nor for the mozilla foundation.
My employer has not expressed to me any opinion about you, or about
for-profit or not-for-profit CAs. The position I convey here is entirely
my own personal one.
> and promoting a browser as a better then commercial offering technology,
Well, I believe that mozilla is better than certain specific commercial technologies, yes. But then, there are those who sell products based on mozilla technology, IINM, so one cannot accurately charactize my position as being that non-commercial technology is inherently differennt than commercial.
> then you try and push commercial certificate authorities as a better > offering then non-profit one,
I have done no such thing. I care not whether a CA is for-profit or not-for-profit, nor how much they charge for services. I care about the real security and trust that a CA offers.
> surely > after being involved with this project I thought you'd be a little more > open to the idea, but instead you're doing everything possible, even > blatently stating things multiple times which I've refuted completely, > and still go all out to crucify us,
As I said previously, this discussion is not about any one CA, but rather about establishing a set of criteria that mozilla can uniformly apply, one that keeps the public trust. If you meet that criteria, once it is established, then GREAT. You'll be as welcome as any others who do. I hope you will!
In the meantime, please help us establish the criteria.
> yes you have valid points I agree > with, and we are trying to work within the limits of our abilities, > mostly monetary to comply with everything you've asked for yet you are > trying so hard to have the bar set so high only commercial organisations > seem good enough.
The bar needs to be set according to the security requirements of public trust. Being trusted as a CA is about being trusted and trustworthy, not about a pricing structure.
> We are more then happy to work with you and any other developer anywhere > to make you satisfied our policies, and the way we operate works within > the bounds of those policies, but you are coming out in an agressive > manner simply dismissing us,
As far as I can recall, I have not expressed any opinion on whether you are qualified or not. I have not seen enough information to form an opinion on that subject (and did say that before). All my opinions are about mozilla's policy and procedures for adding to the trusted CA list.
The process needs to be based on established criteria. I think mozilla should AVOID having it be "because Joe thought so", but I'm ok with it being "because some organization with well published criterial said so, and was willing to take the liability for saying so."
> on what can only be described as the 11th > hour to sink us, when you've had ample time since August last year to > post all comments and needs for more documentation, policy information, > or anything else for that matter.
I first learned about you in bug 215243 less than a week ago.
> I'm sorry I've ranted on a little here, but several people have noted > the agressive, and hypocritical over tones in your postings, weather > they're intentional or not that's how people are perciving them.
As I said before, I'm one of the ~5 engineers who develops and maintains NSS, the crypto libraries in NSS. We work very hard to make sure that NSS maintains high security. If "rogue CAs" are added to the list, then all that work will have been for naught. (I'm not saying you're a rogue CA - this isn't about you, it's about the criteria for acceptance. I'm getting tired of saying that.)
It makes NO SENSE for mozilla to use 256-bit encryption if one can easily get mozilla to adopt a rogue CA. Mozilla's cryptopgraphy is thought to be strong enough to unbreakable by all known computers in our lifetime, so the selection process we have for admitting CAs should not be something that someone can easily sneak by. Being low cost, or not-for-profit is not, in and by itself, enough reason to be let into that list (though it certainly doesn't disqualify anyone). If mozilla's criteria for accepting CAs are satified by the statement "we are not for profit", then mozilla needs no further improvement of its crypto software.
Please start a separate thread in this newsgorup about the subject of "Admitting CaCert to mozilla's trusted root list". That thread should be the place to discuss whether CAcert is or is not qualified.
THIS THREAD shold be about deciding how much work mozilla.org must do before admitting a CA to that list.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
