Peter Gutmann wrote:

There's always the problem of politics.  You'd think that support for a free
CA like CAcert would also provide fantastic marketing opportunities for free
browser like Firefox, but this seems to be stalled pretty much idefinitely
because since CAcert doesn't charge for certificates, including it in Firefox
would upset the commercial CAs that do (there's actually a lot more to it than
this, see the interminable flamewars on this topic on blogs and whatnot for
more information).

The situation with CAcert and Mozo is fairly simple.

Mozo ran a long and open design exercise for a CA policy, which specifies that each CA requires an audit [1]. CAcert hasn't got an audit [2].

Mozo did indeed work quite hard to give CAcert and others some more open access to the process. One could debate the wisdom of having an audit at all, or ascribe the motives to politics, or whatever [3] ... in the end, Mozo moved a considerable distance by opening up the process to non-financial-audit firms and to criteria from non-consortium authors [4].

CAcert also now conducts an open process [5], so it is much easier to talk about the audit. It is well advanced on the policy side, only lacking one or two critical policies which are works-in-progress. Audits generally deliver reports that say things like "management has put in place procedures and policies..." so CAcert is in good shape here.

Where the audit has stalled is on the systems side (and the missing policies are all on that side as well). CAcert will either solve their systems problems or die in the attempt. My current estimate is that if CAcert moves seriously to solve the systems problems, then it may have the audit by early 2009. If not, not.

You can read more about it [6] or ask me or them or join their many mail lists, etc etc.


[1] The process was led by Frank Hecker on the open mozo security maillist. I was part of that process, as was Duane (founder of CAcert), because it was an open process.
IMO, the Mozo CA policy project was a great case study in open security, and should be copied by others, including other Mozo security processes.

[2] By way of disclosure, I am the auditor. Minutes of most recent published audit report:

[3] FTR I argued against the requirements for audits.

[4] The case for audits was significantly weakened when rumours spread of audited CAs conducting MITMs on their own customers, and the logical claim that this was permitted under audit as long as it was disclosed, sort of, somewhere, maybe. This was crucial in shifting consensus to allow competition in audit criteria and auditors.

[5] Due to direction from Greg Rose (retiring President) and a funding deal with NLnet that imposes frequent public reports.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to