oops199 wrote:
Two posters have taken issue with the BOClean item. Without getting
into any of the esoteric questions raised, perhaps it would be a VERY
good idea to take a look at the real issue.
That issue would seem to be that FireFox comes "out of the download"
with some fairly questionable sites automatically setup as acceptable
security certificate issuers. This is a real problem. Many users, in
fact most users, have no idea what the certif's are or who should be
issuing and verifying them. Additionally we have all seen recently
ways that unscrupulous ones have managed to get apparently valid
certifs. Cerif's are a real problem and NOT one that an average user
should be expected to handle.
So let's see some immediate action by Mozilla // FF to correct this
problem.
As noted in a message I just sent to this forum, the Mozilla project in
general (and the Mozilla Foundation in particular) have in fact been
dealing with the CA certificate issue for quite some time now. We have
an official policy on how we decide to include CAs or not (a policy that
was created through a public process with lots of discussion from lots
of people), a public process by which we go about making a decision on a
particular CA (with a public record kept in our Bugzilla bug database),
and a defined process by which people can submit reports of security
vulnerabilities, including any vulnerabilities related to the CA
certificates we pre-load.
If you or anyone else thinks there are security problems with a
particular CA, please file a bug in Bugzilla or send a message to
[EMAIL PROTECTED], along with *specific* evidence of the problem and
the resulting threat to users. Please also include any evidence related
to what the CA has or hasn't done.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
