Jean-Marc Desperrier wrote:
Ian, I have not much time now, but the hungarian cert in question is
*not* using the monetary limit extension, only the extension to say it
is a qualified certificate, which consists just of an OID and is
therefore easy to parse.
OK, that's good to know that there is no number
involved. That just leaves us with determining
what information *is* in this cert, and how it is
that it needs to be presented to the user, and
what the legal and contractual ramifications of
all this information is.
The fact that it might be easy to parse doesn't
make it easy to present. How do you envisage
presenting this information?
Could you give us an example?
What are the contractual ramifications for the
parties? What happens if it goes wrong?
(And, I don't think the answer to the above is
"nothing" as if it was, there would be no need
for a law and no need for a critical bit.)
Here's why it is important. If the information
requires "special processing" then the mere
fact that the code in Mozilla goes on to do that
special processing creates a liability. By doing
so - providing that processing - Mozilla has
accepted the contractual and legal ramifications
as presented by the cert and the EU directive.
If the information is of monetary important
(and this is the case AFAIK) then it becomes
monetary ramifications - liability.
So, if the code gets it wrong, there may be an action
against Mozilla. As Mozilla seems to be out on
a limb on this (IE and Opera do not process
the crits) this could get messy, as by signalling
willingness to follow the contractual position
provided by the crits, when others have not,
this opens the door to some strange results.
This is probably one reason IE doesn't follow
the RFC on this: they don't want to accept the
responsibility. A second reason is that they
probably couldn't be bothered writing the code
to deal with it, because this opens the door for
any Tom,Dick,Harry CA to start asking for
special code.
Also the monetary extension is *not* as you say arbitrary text, it's a
perfectly defined format, and even if there might text for the
monetary unit, it is restricted to the value defined in an ANSI norm
for the representation of currencies.
OK, so as you say that right now the monetary
extension is not being used, I guess we can skip
that debate for now. Unless that is the Hungarians
or anyone is thinking of using this, in which case
it might be a good idea to see some examples of
this.
You're not giving an acurate representation of things.
Let me repeat what I said: "It certainly opens
a can of worms." That statement is as I see it,
and I'd dearly love to be corrected on that.
In the law that asks for these process to be done
of the CAs, what is the legal requirement on the
software manufacturer? What is the liability?
Is there any disclaimer in the law that says that
the software manufacturer is not a party to this,
or not liable?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
