On 4/18/05, Gervase Markham <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > For many use cases, my suggestion eliminates the need to bundle CA > > certificates in the browser. > > I suggest not. After all, if we make unknown CAs look just like an HTTP > connection, why could Hugo not just use an HTTP connection?
Because an HTTP connection is neither encrypted, nor possible to authenticate. If Firefox will let us have encryption and key exchange without any annoying dialog, we can layer on our own accreditation mechanism, such as petnames. For many use cases, this solution is not only sufficient, but optimal. > The fact > that he doesn't want to suggests that something more is required. Actually, Hugo responded to my last email, indicating that I do understand his main goal: to enable the Chilean people to browse Chilean SSL sites without requiring a vulnerability to a non-Chilean entity. > That's not to say that it's not a good idea, but I don't think it will > help Hugo. Well, let's find out. It is technically *very* easy to incorporate the petname tool into the next security release of Firefox. Let's see if making this set of changes relieves some of the pressure on Frank to add more CA certificates. > > Currently, the purpose in bundling a CA certificate in the browser is: > > > > A. Eliminate the pop-up dialog that appears when a new CA is encountered. > > B. Distribute the public key of the new CA. > > That's not the whole story. If it were, we would include every CA which > applied without any vetting at all. Bundling the certificate must > therefore mean something else as well. I am aware that you want to define an accreditation function for the CA list, but I think we can agree that the accreditation value of the *current* CA list is at best ill-defined, if not non-existent. Given this status-quo, it's feasible to look at other ways of matching the actual functionality of the current system, and alternate ways of achieving the desired accreditation function. The petname tool is such a solution. See: http://petname.mozdev.org/ Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
