Nelson, would you agree that "are there adequate assurances that some pretender cannot cause another person's cert to be revoked?" is an inappropriate criterion for deciding inclusion in the trusted CA list?
I would NOT agree that it is *inappropriate*. All the questions I asked
had to do with being trustworthy, and for that reason, I deem them all appropriate, since that is the central issue here.
IMO, a CA that does not provide adequate assurances to their clientelle is less trustworthy to the public as a whole than one that does. And so Mozilla Foundation (MF) needs to decide whether their threshold of acceptable trustwortiness includes that measure or not. (They may decide not, but IMO it would not be inappropriate to include that question.)
Inappropriate questions would include Asking whether the principals are caucasian, or male, or of a certain religion, or how much they charge for certs.
They're inappropriate because they're irrelevant to being trustworthy.
Likewise, that information would be *inappropriate* for CAs to submit as a basis for their selection.
But, not all the questions I asked are necessarily *required* of new CAs.
The decision process that MF must go thorough must consider a wide range of levels of threshold. Given that they do NOT appear inclined to choose an outside agency, such as AICPA, to decide for them, I think they must be given a large range of options to consider.
If we give them a threshold range of 0-10, they may choose 5. If left to their own devices, they may only see a range of 0-2, (not seeing the higher end choices), and so they would likely choose 1. So, it behooves those of us who see choices greater than 2 to give them values above 2 from which to choose.
Prior to my involvement, the stated criteria were (quoted from http://bugzilla.mozilla.org/show_bug.cgi?id=215243#c14 ):
> MF requires all CAs > (a) be root CAs; > (b) offer services to the general public; > (c) provide public info about CA and > (d) its policies and procedures. > MF may in addition include root CAs that do not provide services to > the general public (e.g., for an intranet customer). > MF won't distribute non-CA-certs (e.g., self-signed web server certs).
I'd call that threshold zero or 1.
If MF meant to inspect the "public info" about "policies and procedures" and apply some threshold ot those values, they didn't say so, and they didn't state the threshold (AFAIK).
Notice the complete absense of any technical criterial of trustworthiness in those requirements. They don't define CA. A CA with a 256-bit public key could pass that test. A CA cert whose private key was downloadable from his web site would pass (it's "public info"! :). A CA with no revocation whatsoever would pass. A CA that offered any cert to any person with out any validated I&A (identification and authentication) for $100 (a.k.a. falsified documents), and provided public info saying so, would pass that test.
So, I provided a list of questions for MF to consider asking. MF may decide that some of those things are not required. (I _expect_ that.)
If MF finds that no questions about revocation, private key protection, and I&A are necessary, then they will not need strong crypto as much as they will need strong lawyers to fend off suits from the defrauded relying parties, IMO.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
