Nelson Bolyard wrote:
As seen in http://bugzilla.mozilla.org/long_list.cgi?buglist=215243 mozilla.org is now wrestling with the topic of how to choose which root CA certs to include, and which not to include, in the mozilla open source.
My guess is that lawyers will have a lot to do with the selection. :( But IMO it would still be good if the mozilla community could come to some agreement on certain issues, such as:
Actually, unless something happens to convince me otherwise I believe that lawyers will have nothing to do with the selection of CAs and with any MF policy that gets created. If lawyers do get involved then IMO there will be no policy, just paralysis. It is also not clear to me at all that lawyers need to get involved, given that Mozilla licensing terms pretty much disclaim all liability for anything and everything related to the operation of Mozilla.
For now I would proceed as if legal issues of liability, etc., do not exist. I don't mean not that we should be lackadaisical about things that might cause harm; rather I mean that we should not do things a certain way purely because of a perceived legal issue and for no other reason.
<snip>To what standard should CAs be held to be added and remain in mozilla's built-in list of trusted root CAs?
What are some questions that a web user, or an https server admin, or a sender or recipient of signed or encrypted email, might raise about the adequacy of the CA's security practices?
Here are some that occur to me, in no particular order.
These are fine questions as far as they go, and certainly are valid candidates for going into a list of evaluation criteria. But as I noted to you separately, I think it is not enough to come up with questions without providing some measure of justification for why these particular questions. Ultimately our goal is to benefit Mozilla users, so everything IMO has to come back to that.
Now clearly one way to think about user benefit in this context is to focus on "negative benefits", i.e., the harms that could potentially come to users if particular criteria are not met by a CA. This IMO requires not just having a plausible attack mechanism but rather going through something like Bruce Schneier's 5-point checklist: what we are trying to protect, what are the real risks, do the proposed criteria actually mitigate the risk, are there other risks as side effects of the criteria, and what are the costs and trade-offs?
Another way to think about benefits is in terms of positive benefits, i.e., would including a particular CA's cert(s) be good in some way for Mozilla users and/or the Mozilla project/community? For example, does the CA serve a community that's important to the project? Does the CA promote increased use of Mozilla features that depend on certs? And so on.
My personal opinion is that any policy should both promote positive benefits and mitigate "negative benefits", and that any decision made in conjunction with the policy should take both perspectives into account.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
