Now if mozilla can say, "We relied entirely on the answers from AICPA",
I'm just wondering about this one, saying you rellied on the answers from the other company without performing your own basic checks as far as lawsuits go, wouldn't that still make you liable for blindly accepting information from a 3rd party? If they then do nothing when there is a breach, isn't this negligence on their behalf as well? and knowingly accepting information from a negligent entity surely must paint a bad picture (or good) for someone looking to have a friverlous lawsuit.
Well, I've been developing crypto code in netscape/mozilla and supporting their users for 7+ years, and I think I know what I'm talking about. People who need a cert (such as 100% of your clientelle) know about CAs. The average user who buys something on the web can't even spell CA. :)
We're working on the education thing :) Which is part of our services to the community not just certificates but trying to give out as much relivant information to users and general public a like, after all everyone should be a potential user and protect their email with crypto, I don't see too many businesses sending information on the back of postcards but then they turn around and send plain text, unsigned emails... People really don't have a clue :)
Yes, and I think that situation is unfortunate. I wish it were otherwise.
But *if* MF decides that they must rely on AICPA/WebTrust for the same
reason that Microsoft allegedly does, then well ... darn!
As I said above, surely relying on a company that doesn't do anything post, is acknowledging they may not be 100% reliable, and in doing so you create negligents of your own, then again i'm not a lawyer either I'm just throwing round ideas...
But you'll notice that I am pushing both sides of the issue. Whether MF decides to adopt AICPA answers or decides to make up their own, I am pushing for good secure answers in both cases.
This whole liability issue only exists because certificates have been used to make money and be synonimous with online commerce, what one of our goals is, is to provide security for things that have no value in the business world, such as protecting webmail, protecting control interfaces, even just sharing photos in an online gallery that you don't want others to know about, for whatever personal reasons.
Yes there is a problem with CAs that are liable for their blatent actions, however getting entities that are proven to exist should deflect any blame from MF, all MF has to do is review the CAs policies/processes and get written verification from a suitable 3rd party that the processes are being adhered to, and if they aren't suitable they aren't included, if they are suitable, then the CA in question more then likely broke their own polcies/CPS and are possibly criminally in trouble as well. I think MF can be responsible for their own browser a lot more without resorting to 3rd parties, and not just because I'm slightly biased in this instance.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
