Frank Hecker wrote: > Well, *I'm* not touting this as fully representative of the CA and
I never meant to imply you did, my apologies... I have received a 1 page email from Steve @ Comodo that said the same thing as Gerv's email did in one line, we're not telling you who's coming other then Mozilla and Comodo, and no mention about meeting minutes, which was the main question I put to him. I'm still trying to work out why everyone thinks security through obscurity is going to actually mean others won't find things out one way or another, why not just be up front and publicly state xyz companies are planning to attend, this is the agenda, and this is the link to the meeting minutes. Actually Steve's email said it all really, "It's up to the company's PR departments", so I guess I'm going to have to imply this is either just a PR stunt to make it look like something is being down, or someone is looking to milk this for a lot of money some how, just a pity that SSL has been the most successful marketing failure in history, or at least it ranks well up there, commercial CAs and others managed to work in a mind set that "you should blindly trust who the browsers think should be in them only" with out actually putting thought into it (hell I know I thought that at one stage). Actually the funniest thing was said the other day, Mark Shuttleworth came out and said the root certificate for Thawte was kept in his underpants draw for the first 2 years of operation. Needless to say the audience was in stitchs over that one... As Gerv points out (as have others), currently there are no minimums and commercial CAs (not necessarily security people) with the intent of increasing their own market share to the detriment of others (since SSL has been such a huge success and all), I'm just not seeing altruism from anyone here but Gerv, yourself and the mozilla foundation. > As I've said before, I don't think use of certs in general and SSL in > particular should be artificially constrained to fit the perceived > requirements of the Internet e-commerce market. To get back to Gerv's > draft paper, I think his discussion is consistent with that approach: > He's proposing leaving the existing browser CA/SSL model and UI in place > for legacy CAs and certs, and basically creating an extension to the Not quite, unknown CAs (he doesn't stipulate although I assume, root certs not imported) and self signed certs won't display the lock, which is a fairly fundamental change, and judging by the stats with the link Ian posted, unknown CAs issue more publicly accessible SSL certificates then Verisign does. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security