Frank Hecker wrote [in part]: > > As noted in prior discussions, the Mozilla Foundation and mozilla.org > staff are considering adopting a formal policy regarding selection of > new CA certificates for inclusion in the default certificate database > distributed with Mozilla, Firefox, Thunderbird, etc.
After reviewing the discussion in this thread (and other threads), I must conclude that the whole approach to developing a policy is flawed. A policy should represent specifics based on a more general philosophy, but I don't think the philosophy itself is clear in this case. The first question that must be answered is: Why continue developing Mozilla? I would hope the answer does NOT revolve around an exercise in computer science but instead reflects a desire to create a high-quality software application for personal and commercial use -- an application for the real world. If Mozilla is intended for real use, the next question is: Who uses Mozilla? Given my hope for the answer to the first question, the answer to this question should be: Anyone who uses the Internet. This means that most Mozilla users are not truly sophisticated software experts. The answer to the second question raises the next question: In that context, how are (not how should) CA certificates used? Clearly (at least to me), the answer is: The primary and most important use of a CA certificate is to provide the Mozilla user with assurance that (1) a critical Web site is indeed what it purports to be and (2) sensitive data communicated to a Web server travels across the Internet securely. If this chain of questions and answers is valid, then the Mozilla Foundation has an obligation to those who use its products to authenticate not only the validity of each CA certificate in the default database but also the integrity of the CA's process of issuing and signing Web server certificates with that CA certificate. This requires specific, objective, and verifiable criteria for authenticating both validity and integrity. I advocate third-party audits because those criteria already exist and are already being applied through such audits. No, this does not mean only WebTrust audits. Earlier in this thread, I cited a California state regulation that specifies either WebTrust or SAS 70 audits. (See Sections 22003(a)6(C) and 22003(a)6(D) under <http://www.ss.ca.gov/digsig/regulations.htm#22003>.) Further, that regulation provides criteria for accepting other accreditation criteria. However, until other criteria can be clearly identified and documented, the WebTrust and SAS 70 audits are the only trustworthy and reliable bases for accepting CA certificates. In the end, the real question is: Can we trust and rely on the CA certificates in the Mozilla default database to protect our privacy and our assets? The answer to that question will determine whether we can trust the Mozilla Foundation, which needs to clarify the underlying philosophy upon which the proposed policy should be based. Of course, my original assumption -- my hope for the answer to the first question -- might not be valid. In this case, Mozilla is merely an interesting toy; and I will then have to rely on some other browser for online banking and other critical Web uses. -- David E. Ross <http://www.rossde.com/> _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
