The purpose of third-party audits is to provide evidence that the CA's practices include some defined level of care when using the CA certificate to sign a Web server certificate.
For the average person, this is fairly meaningless.
It's akin to "trust me, we have auditors." Enron, and all that, are just the beginning of the failure of this process. As auditors tend to just check that the CA is following its own declared practices, and bring little incentive to detect real failures to the event, audits are not all they are cracked up to be.
(For the serious professional, it is even more daunting, as each layer that gets peeled off in the CA reveals either "trust me" or "I wonder if that really works...")
> If CA
certificates are installed only when the CA has passed such an
audit, then I indeed have some assurance that a critical Web site
is indeed what it purports to be. That assurance is greater than
if merely the CA itself said, "Trust me." It is also greater than
if Mozilla said, "Don't worry. We know what we're doing."
Actually, I would agree that Mozilla should not say "We know what we are doing." I would suggest that Mozilla present a little more info to the user, and suggest the user decide for themselves whether the CA concerned is worth anything.
We've had good success using GeoTrust certificates, for example. But, none of the users of our sites know this. To them, the browser says "trust me, it's probably Verisign." That's daft.
It would be much better if the browser simply said something akin to "GeoTrust says this is the right place, have a nice day!"
For protecting my bank and stock accounts and my privacy, I want
to know that the CA that issued and signed my bank's or mutual
fund's server certificate has itself been vetted by a professional
using recognized, objective standards.
David, I've got bad news for you.
While you were worried about some mythical man in the middle sneaking in and stealing your password for no good purpose (the bank/fund would be covered against that in general), you were probably being robbed blind by your mutual fund.
You were sold a bill of goods. Certs do not provide much protection in the scheme of things, simply because there is little or no threat from any MITM (and spoofs go right past them). The serious, critical threats to those institutions come from inside, and from other more simplistic attacks. What SSL/TLS certificates *did* do, however, was distract you, and countless other professionals, from properly analysing the security of the institution.
I'm hoping that Mozilla can realise this. There is an opportunity here to restart the security process that has lain dormant for a decade. And a crying need - the threats today are from spoofs/ phishing, viruses, insider robbery, database hacks, and so forth - all of which need to be addressed by a wholistic approach to security, not by worrying about this cert or that CA covering a threat that doesn't exist except in the minds of cryptography academics.
Mind you, I'm very curious - has anyone evaluated the threat level that certs cover? Any evidence of MITMs down your way? I've never seen any, and I'd love to add some hard numbers to the analysis.
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
