Scott Rea wrote: > > When a CA issues an SSL certificate, generally all they are asserting is > that the public key in the cert relates to a private key owned by the > subject and was requested by an individual authorized on behalf of the > company responsible for the domain of the subject. That is what we need > to educate users on. I don't think CAs can or should be responsible for > anything other than this.
Actually, I don't expect anything beyond that. If you read the actual "WebTrust Program for Certification Authorities", you will see that an accredited CA verifies that the purchaser is who he says he is and that the CA signing key is kept secure to avoid issuing unauthorized or unverified server certificates, both of which are very important now that such frauds as "phishing" are growing. A third-party audit serves to verify that the CA does indeed exercise care when issuing server certificates. Nothing in the WebTrust process involves having the CA verify the business practices of the owners of server certificates issued by CAs. If the Mozilla Foundation wants to do its own independent verification of CA practices, I would accept such a policy. However, the Foundation's verification process should be documented. I merely advocate third-party audits because the process for those audits is already documented and the audits already are already being done. Also, since third-party financial auditors have been found liable for investor losses when their audits have been inaccurate or inadequate, I think third-party CA audits could shift liability away from the Mozilla Foundation. Such audits are endorsed by California law, and the Foundation is incorporated in California. Thus, reliance on such audits might be a good defense for the Foundation if an accredited CA whose own certificate is contained in the Mozilla default database happens to issue a server certificate improperly (e.g., to a fraudulently identified server owner). Note that the fact that Mozilla products can be obtained for free does not eliminate the Foundation's liability if someone suffers measurable harm from using those products (e.g., the emptying of a bank account by a phishing fraud). -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
