On Wednesday 11 May 2005 01:13, Duane wrote: > Gervase Markham wrote: > > At the moment, I've been asked not to say who has been invited apart > > from us and Comodo (the organisers). I assume I will be able to, either > > closer to the time or afterwards. > > Why should something that will potentially effect all of us be shrouded > in such secracy, who has something to hide here? Security through > obscurity doesn't cut it, isn't that the exact oposite one of the > premises that's supposed to make open source software better?
Duane, don't worry about it. Let's put this in perspective: as only CAs and browser manufacturers are invited, there is only a slice of the interested parties there. There are no users, no lawyers, no enforcement people, no server side people, maybe no Microsoft, no FDIC, and probably no security people. The normal thing that happens is that when there is a problem, people get together and talk about it. Now, there is a big problem with security - nobody knows how it works (to cut a tall story off above the knees). So out of this arise what we call "solutions" and "best practices" which also means that the person who a) invents the solution and b) gets everyone to accept it is the one that wins. So this means in economic terms that you will see lots and lots of meetings spring up and lots and lots of solution selling to each other. This is such an event. But, remember the first part. The security itself is probably or completely misunderstood. (Oh, and I forgot, the phisher isn't invited either.) So don't for a moment think that the outcome of this meeting will effect you. The name of the productive game is to simply share as much information as possible; consider it a learning exercise, not a planning exercise. (Over on the coding side, do whatever you think is best and try it. Don't hold back. Do it now! Change it later!) > > As an example (and I don't know of anyone who is actually suggesting > > this), what if we made all CAs who issued non-zero accountability certs > > post a $1,000,000 bond against losses from phishing attacks performed > > using their certs? Would you consider that a lockout measure? > > Not all our certificates issued are "zero accountability", although the > bigger our web of trust gets, and the more cross connected it becomes, > as well as things like feed back on the actual process, things should > get a lot more interesting in our ability to make some statements of > identity. I hadn't seen that before. Currently I understand all CAs to be in practice zero-accountable. Does anyone know any different? Are there any payouts? Has a CA ever been held to account? > Basically little birdies have told me that Verisign is walking a fine > line on this issue, if they push too much (which is why I'm guessing > Comodo is the front runner) they run the risk of breaching both > anti-trust and rico laws, so yes, I really would like to know what > others are planning to bring to the table. Oh? Do tell! The market isn't large enough nor is it organised enough to trigger anti-trust laws, I would have thought. iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security