Heikki Toivonen wrote: > Since IE > has the first(?) UI for EV certs, other browser manufacturers have some > incentive to follow their lead unless they can think of something > obviously better. > As someone else pointed out, Mozilla should lead, not follow. That's the reason for our proposal...And what if Microsoft follows the lead of Mozilla thereafter? > Even though I consider myself security savvy, I'd rather not deal with > multiple levels in the browser myself. Nobody asked you to do this. There are very capable people at Mozilla who have the knowledge, background and technical skills to deal with that...Otherwise you'd rather not build a browser with SSL capabilities! > >> There are various other valid standards for CA's and nothing, but >> nothing will change the role of the browser vendor in this respect. EV >> is just another standard! Auditing was always a job of a third party and >> I don't see anywhere in the current CA policy, that Mozilla is supposed >> to do the auditing. Nothing will change in that respect! >> > > You say that like standards have no value, and are all just useless > pieces of paper. > What did I say? > >>> because removing e.g. Verisign would break half the SSL >>> sites on the web. >>> >> Which would give Verisign or other similar CA's (all of them owned by >> Verisign anyway) a license to do whatever they like! Your statement >> above is extremely dangerous! Because you just said, that you are >> willing to compromise half of the SSL enabled sites of the Internet, >> because of their market share!?!?! >> > > Have there been cases where a CA has been consistently so bad that it > should have warranted removal? > I don't know, but because of market share giving a certain CA a green card is the wrong message perhaps! Or do you want examples from me, about the "CLICK TO CONTINUE" certs and issued wrongfully to "Microsoft, Inc." by this very same CA? Obviously they didn't perform according to their own policy, else this wouldn't have occurred!
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
