The first question that must be answered is: Why continue
developing Mozilla? I would hope the answer does NOT revolve
around an exercise in computer science but instead reflects a
desire to create a high-quality software application for personal
and commercial use -- an application for the real world. If Mozilla is intended for real use, the next question is: Who
uses Mozilla? Given my hope for the answer to the first question,
the answer to this question should be: Anyone who uses the
Internet. This means that most Mozilla users are not truly sophisticated
software experts.
(It may be that the Mozilla users in the majority are not sophisticated. But, that does not mean that the software is written for them.)
The answer to the second question raises the next question: In
that context, how are (not how should) CA certificates used? Clearly (at least to me), the answer is: The primary and most
important use of a CA certificate is to provide the Mozilla user
with assurance that (1) a critical Web site is indeed what it
purports to be and (2) sensitive data communicated to a Web server
travels across the Internet securely.
(This is not clear at all. I think it rests on a number of false assumptions, but those are quite hard to describe in a quick email, so I'll skip that here.)
If this chain of questions and answers is valid, then the Mozilla Foundation has an obligation to those who use its products to authenticate not only the validity of each CA certificate in the default database but also the integrity of the CA's process of issuing and signing Web server certificates with that CA certificate.
How do you conclude that? As users don't pay anything, there can not be much of an obligation of any form, let alone something as sensitive as the validity of a signature chain (something that evidently other competitors have also failed to treat as "obligations").
No, this does not mean only WebTrust audits. Earlier in this
thread, I cited a California state regulation that specifies
either WebTrust or SAS 70 audits. (See Sections 22003(a)6(C) and
22003(a)6(D) under
<http://www.ss.ca.gov/digsig/regulations.htm#22003>.) Further,
that regulation provides criteria for accepting other
accreditation criteria. However, until other criteria can be
clearly identified and documented, the WebTrust and SAS 70 audits
are the only trustworthy and reliable bases for accepting CA
certificates.
Is there a specific reason why Mozilla should decide to write and distribute its software according to these regulations? It seems to be a bad idea, on the face of it...
In the end, the real question is: Can we trust and rely on the CA
certificates in the Mozilla default database to protect our
privacy and our assets? The answer to that question will
determine whether we can trust the Mozilla Foundation, which needs
to clarify the underlying philosophy upon which the proposed
policy should be based.
No way. This is FUD. Just because the default list of certs might have some flaws does not mean that we or users or anyone should not trust the Mozilla Foundation. The Foundation is under no obligation to provide a list to you or anyone.
Trying to shame them into providing your list, one that you can trust, will achieve nothing for Mozilla or the users. This is easy to see - if you could pick the list, as trustworthy, then so could anyone else. As there is a debate, it is clear that picking the list is a vexing issue. Thus, no room for FUD tactics.
Of course, my original assumption -- my hope for the answer to the
first question -- might not be valid. In this case, Mozilla is
merely an interesting toy; and I will then have to rely on some
other browser for online banking and other critical Web uses.
iang
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto