Jean-Marc Desperrier wrote:
Ian, I have not much time now, but the hungarian cert in question is *not* using the monetary limit extension, only the extension to say it is a qualified certificate, which consists just of an OID and is therefore easy to parse.
OK, that's good to know that there is no number involved. That just leaves us with determining what information *is* in this cert, and how it is that it needs to be presented to the user, and what the legal and contractual ramifications of all this information is.
The fact that it might be easy to parse doesn't make it easy to present. How do you envisage presenting this information?
Could you give us an example?
What are the contractual ramifications for the parties? What happens if it goes wrong?
(And, I don't think the answer to the above is "nothing" as if it was, there would be no need for a law and no need for a critical bit.)
Here's why it is important. If the information requires "special processing" then the mere fact that the code in Mozilla goes on to do that special processing creates a liability. By doing so - providing that processing - Mozilla has accepted the contractual and legal ramifications as presented by the cert and the EU directive. If the information is of monetary important (and this is the case AFAIK) then it becomes monetary ramifications - liability.
So, if the code gets it wrong, there may be an action against Mozilla. As Mozilla seems to be out on a limb on this (IE and Opera do not process the crits) this could get messy, as by signalling willingness to follow the contractual position provided by the crits, when others have not, this opens the door to some strange results.
This is probably one reason IE doesn't follow the RFC on this: they don't want to accept the responsibility. A second reason is that they probably couldn't be bothered writing the code to deal with it, because this opens the door for any Tom,Dick,Harry CA to start asking for special code.
Also the monetary extension is *not* as you say arbitrary text, it's a perfectly defined format, and even if there might text for the monetary unit, it is restricted to the value defined in an ANSI norm for the representation of currencies.
OK, so as you say that right now the monetary extension is not being used, I guess we can skip that debate for now. Unless that is the Hungarians or anyone is thinking of using this, in which case it might be a good idea to see some examples of this.
You're not giving an acurate representation of things.
Let me repeat what I said: "It certainly opens a can of worms." That statement is as I see it, and I'd dearly love to be corrected on that.
In the law that asks for these process to be done of the CAs, what is the legal requirement on the software manufacturer? What is the liability? Is there any disclaimer in the law that says that the software manufacturer is not a party to this, or not liable?
iang
-- News and views on what matters in finance+crypto: http://financialcryptography.com/
_______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security