Nelson just posted a bug comment, but I think the response and discussion of the points he raised are too broad for that bug, so I'll move them here, if nobody minds.
I have two points to make here - the reality of the CA "trust" decision, and the goal.
[EMAIL PROTECTED] wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=286107
------- Additional Comments From [EMAIL PROTECTED] 2005-03-16 10:29 PST -------
Ian's arguments are predecated on the existence of untrustworthy CAs who
will issue certs falsely for domain names that are justly certified by one or more other CAs. That situation may arise someday, if we let untrustworthy CAs into the list.
But that has not yet been decided, and is not yet even proposed by the current draft Mozilla CA cert policy. If one of the CAs trusted under the
present draft policy were to issue a rogue cert, and did not revoke it,
that would be cause for removal from the trust list.
My first point is that I have a different view of these things and it is very important to understand that all my thoughts derive from this view, while all your thoughts derive from your view.
Here's your view, if I can be excused for interpreting your words: You think that we currently have a situation where we can trust the CAs currently in the root list to "get it right." You also think or fear with a high degree of risk that if we enact the new policy, we will move from State A - we can trust the CAs - to a new State B where we can no longer trust all the CAs all the time.
OK? Correct me, please, so we can all understand the ground from which we speak.
Here's my view: we are already in State B. Enacting the policy will IMHO make no difference to the state, because we are already there. I would have thought that was abundantly clear from the Shmoo example, but I guess we need more evidence to determine the truth or otherwise.
I agree with Ian here, we cannot trust all CA's. The requirements, even with well known CA's like verisign, are just to easily spoofed.
But - at least let's understand each other's world views:
You think we are in State A - "trust" and the new policy will take us to State B (you fear).
I think we are already in State B. And the policy is simply going to help us deal with that by making it more visible.
(A marginal improvement, but welcome nonetheless.)
So I suggest that we do not assume it to be the case today. Folks, it remains the policy that we TRUST the CAs that we've decided to TRUST.
Ian very much would like to see the world be very different and is doing
every thing in his power to influence it all to be changed.
OK. Now my second point is that I have a goal. I'd like to hear what your goal is but bear with me while I outline my goal. This causes my worldview.
My goal is security. The security of the net. In this, I see the biggest current danger to the security of the net as phishing. (we can discuss why, but I'm just claiming that for now.)
In order to address phishing, I see things like the list and comments of Peter Gutmann today, the ideas of Gervase, the code of Amir & Ahmad, some of the other theoretically inspired ideas from the petnames / caps community, etc etc, as very promising. They all seem to suggest a way forward for dealing with phishing.
In opposition to that, we know that SSL and certs as they stand today do nothing to stop phishing. Nix, zip, nada. So I conclude that anything that maintains the status quo needs to show how it addresses security, and very specifically how it helps to address the real threats facing users today.
So my goal is security, and it reduces to "let's fight phishing."
Agreed. Security needs to look at reducing vulnerabilities that expose the user to phishing attempts. ( biggest being redirects, and site spoofing )
CA issues address the latter, if it is made harder for sites to
be spoofed with better certificate controls in the browsers, and less opportunity for redirects to be hijacked then we have done what we can.
good point, any changes have to be concidered from all possible aspects.
Can you tell me how your policy helps that?
But be aware that any such policy change must be carefully considered
and not implemented piece-meal in some parts of mozilla without considering
the security implications across the board.
or we are just going to lose the user base to browsers that do not have these security concerns addresses.
I have to agree that Gerv's favorite proposal has none of these objections.
It does not represent a policy change regarding trust of CAs, nor does it
prevent one in the future.
Then, support that! This subject is so complex and so involved with so many people, that any small radial steps will be welcome. Once people start thinking about how a new feature or a new switcheroo works, the precise way to deal with phishing will come out in a mixture of experimentation, theory, risks and downright mistakes.
iang
smime.p7s
Description: S/MIME Cryptographic Signature
