The uniting of the business assertion with the cryptographic assertion is accomplished via 2 step process:
1. The statement from the CA on how the cryptographic assertion is made - what checks and balances, identification and authentication mechanisms are employed to assure that the details in the cryptographic assertion (e.g. name, domain ownership etc) are valid - you can get this from the Certification Practice Statement [CPS] (this is generally referenced in the certificate)
2. The audit of the CA by an independant body rating the CA on it's adherence to it's CPS - in the world of CAs we have SAS 70 and WebTrust that are prevalent, the latter seeming to gain greater emphasis of late.
I seem to have read somewhere recently that Microsoft was considering requiring CAs to pass the WebTrust audit before they would allow their certs to be embedded in their browser - anyone confirm that?
Regards,
-Scott
Ian Grigg wrote:
John Gardiner Myers wrote:
Ian Grigg wrote:
David Ross wrote:
Clearly (at least to me), the answer is: The primary and most important use of a CA certificate is to provide the Mozilla user with assurance that (1) a critical Web site is indeed what it purports to be
(This is not clear at all. I think it rests on a number of false assumptions, but those are quite hard to describe in a quick email, so I'll skip that here.)
As (1) is the definition of a certificate (modulo the fact that applicability goes beyond just web sites), it is as clear to me as any derivation from definitions. That you state it is not clear, omitting any argument, is in no way convincing.
Sorry, yes, I should have left that bit out. The underlying fact here is that a CA certificate carries a signature from a third party (CA) on a key for a second party (website).
That's a cryptographic fact, in general, and other claims are assumptions that may or may not be founded.
It's by no means definitional whether that signature delivers anything like "providing assurance that a critical web site is indeed what it purports to be." The question is whether we can move from a cryptographic statement (this key signs that key) to a business statement (this site is who they say they are) with any degree of confidence.
The answer to that seems to be no. Not with any confidence.
Just as an example of one only amongst a long list of difficulties, the present issue is that, as no browser goes to any trouble to to separate out *which* CA made the claim, the confidence is reduced to the lowest common denominator. (There are many more issues, but that one is apropos.)
iang
PS: C.f, branding discussion started by Tim Dierks. AFAIK, Peter Gutmann first made the observation about "one size" security policy resulting in no security.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
