Eddy Nigg (StartCom Ltd.) wrote:
Or rather, those who shout loudest don't like it. I've had the great
joy of interacting with many of that group before, and I know where
they stand. However, at this stage I am interested in hearing from
Mozilla community members such as Heikki and dbaron.
However I'm getting the feeling, that you are not listening at all.
Trust me, I know exactly what you think.
No, I didn't propose that. Where did I propose that?
From your post on the Mon, Nov 6 2006 4:57 pm:
but we have never contemplated
using it - because removing e.g. Verisign would break half the SSL sites
on the web.
Indeed. That's merely a statement of fact. And I'm sure removing
Startcom as a CA would break some proportion of sites as well. The fact
that we only have this "nuclear option" as a sanction is definitely a
problem - and one that EV can help solve.
As I'm sure Verisign does also.
Sure, however issuing a Class 3 certificate to a company or individual
called "CLICK YES TO CONTINUE" simply shows something extremely broken.
This is not a "domain validated" cert, but Class 3 code signing! And
this didn't happen in the nineties, but just recently...I don't
know....Verisign is not my business, but if somebody would have looked
even once at this request, before CERTIFYING, this simply could not have
happened! So much about that...
So it seems we need standards for who one issues a cert to, not just how
one does it. Hang on, didn't we just write some of those?
BTW, code-signing is next on the list of issues for the CA/Browser Forum
to tackle.
There can be various audit schemes, however I would like to see
alternatives to the WebTrust auditors which is in my opinion an
expensive monopoly. There are valuable alternatives and perhaps
definitions available, which would create also some competition in this
field!
Then suggest an alternative that I can propose!
As suggested previously, the Mozilla CA policy would provide such
alternatives.
We are going round in circles here. WebTrust are writing new guidelines
for auditing EV. If you want some alternative audit criteria, you need
to name them specifically (if they exist already) or suggest who should
write them. The Mozilla CA policy is not a set of EV audit criteria,
it's a CA policy for a browser manufacturer.
Right, it's a CA related challenge...Obviously I'm looking at it, how a
CA (including us) is going to comply with it...And what if there is no
trustworthy agent available in that region? Quite obvious the CA must
send somebody in to do this job. However this drives the costs upwards,
which the client has to pay. In such a case, the client might prefer not
to make the deal and the CA is going to loose business...or being very
attempted to skip this requirement! I'm very skeptical about this one,
because if a standard is set too high, it will be circumvented when not
convenient! Simply as that...
...and the CA may well fail its audit.
Because a user actually only needs this information extremely rarely -
when they've got a problem with the site.
Really? Are you buying anywhere without checking from whom and what you
get? What are the guaranties you receive? What if you don't receive the
goods? I don't think, that your argument is correct...
So when you visit an SSL site to buy something, you read all the
certificate contents before proceeding with the purchase? Every time?
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
