Nelson B wrote:
Frank Hecker wrote:
> <p>This is the official Mozilla Foundation policy for CA certificates
> -that it distributes with its software products:</p>
> +that we distributes with our software products:</p>
"we distributes" reminds me of the old Popeye cartoons. :)
Popeye talked like that.
Two questions about this draft:
1. Does this floor address the "Click Yes to continue" phenomenon?
Should it?
That's a thorny issue. The company's name was indeed
that, in Canada. In that case, as the company's name,
there is a well established precedent to use that name.
In company naming there are a few things you can't do,
such as use rude words and use others' names. Also,
most countries have restrictions on the national labels.
But using a branding or advertising slogan is fine. Using
a common expression is fine - as long as nobody got their
first.
At the extreme, "Click Yes to continue" would even have a
plausible complaint against any company that declined
to accept its name!
Which is not to say that I think it's right or wrong, but
that dealing with this issue in policy terms is real tough.
2. Recently I encountered an SSL server cert from a low-assurance CA
in which the cert's entire subject name consisted of the
"Common Name" which was the server's domain name. There was no other
information at all about the person/organization behind that cert.
That seems like something mozilla's policy ought to address in its floor.
IMO, that's not good enough for an SSL CA in mozilla's CA list. Agreed?
My perspective on this is taken from years of doing
issuance contracts in an unregulated field. The
natural tendency is to expect there to be a standard
and for everyone to follow it. But in practice, there
often isn't much of a standard, and that which is
there isn't of any help; in fact in terms of addressing
fraud, most standards hinder more than they help.
In order to address this, I developed a simple rule:
tell the truth. Everything that was written into a
contract should be the truth. The digital signature
should attest to that. Now, this might seem quite
basic, but I had a lot of trouble getting people to
follow this rule in writing contracts... in contrast,
there was rarely any problem with readers of
contracts. As soon as they read the document,
the knew when things were missing, in general.
So as long as whatever is in that cert is the truth,
I don't see an issue. That's just me, tho!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
