Ian,
> Frankly, if a CA > acts up -- you pull them out.
People say that, but has anyone done it? Has any CA been pulled, ever? And what for? How hard was it to do?
Please compare the built-in CA list for Communicator 4.7x and mozilla (any recent version). IIRC, mozilla's list is smaller. Yet it was derived from Communicator's list. If my memory isn't mistaken here, then CAs have been pulled from the list.
Right, but that's not quite "pulling" is it? That's "declining to copy."
Mozilla Foundation is a separate organisation to Netscape. They are very different, one is a not-for-profit open source developer, and the other is a for-profit, closed source, seller of browsers and servers. In business terms, it's just about all different.
From this point of view of Mozilla being a separate entity, it would be ludicrous to say that just because some CA was listed in the Netscape list, Mozilla cannot remove it... A very different thing to Mozilla adding a CA this year and taking it out next year.
...
Perhaps it's time for a "major" revision of the CA list.
I'd suggest that take place after Frank's current WebTrust set is done, and after the non-WebTrusts are done.
It is important to have an independent standard against which to judge CA
behavior (and WebTrust seems to be the most likely candidate).
This is an important point. So, the question then is, how does WebTrust do it? How does it decide, process, analyse and advise a decision to drop a CA? Does it indeed do anything, other than decline to conduct another audit?
That's a fair question. Another is, what does it take to convince WebTrust that some party they've audited is no-longer following the audited practices, and therefore that party's seal ought to be reconsidered.
I recently learned that at least one "authenticode" cert has been revoked by its issuer because the issuer believed that the party to whom the cert was issued was violating some rule, probably some aspect of some agreement. I'm not familiar with the terms of the agreement(s) to which an applicant must agree to receive an authenticode cert, but that might be instructive to find out.
I suppose the issue here is that if a CA has a WebTrust, and the seal is pulled, then there is no problem with pulling Mozilla's root distro. Then, for a CA without a WebTrust, they probably wouldn't cause too much of a difficulty anyway, so that isn't an issue.
The remaining danger area is a CA with a WebTrust where Mozilla has decided to pull it, and WebTrust has not. On this, having a policy that clearly spells out that it can be pulled at sole discretion by MF, and taking no money (very important, as this means there is no contract) then that would cover it.
Except for the costs of proving that in court, however.
market. Legislation was proposed and pushed through by CAs in some places that created a barrier to entry.
That occured well AFTER Netscape first offered clients with CA lists.
As the legislation in mind passed in 1995, I'm not sure that it is that "well after" is on the money there. Wasn't the earliest discussion of SSL in 1994?
Mind you, I never heard of Netscape having anything to do with the legislation. And, I don't really see what is to be gained by digging up the past that much, as long as we can recognise it for what it was.
AFAIK, those laws presented barriers to CAs wanting to do business with the state.
No, the original model set liability limits for all users of the CAs. It was a messy area, and I think the whole thing blew up in their faces. Which was why the original models weren't so widely adopted.
> But they didn't stop CAs from getting into Netscape's
list. And I think they have no bearing on mozilla, unless mozilla decides they do.
Yes, it was a purely historical comment, meant to imply that HTTPS got off to a bad start, and resorting back to the good old days is not much use.
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
