On 2/13/07, Duane <[EMAIL PROTECTED]> wrote:
beltzner wrote:
> - increasing the liability exposure for CAs found to be lax in their
> applications of the guidelines
The problem here is businesses tend to do whatever is cheapest, if
paying out $2k is cheaper then due diligence then without any other
external forces increased or excessive liability is the only option to
keep companies doing the right thing.
Well, that and brand loyalty. I think we need to make the CAs more
publically accountable for their assertions and actions. Those CAs
that aren't holding up to their end of the EV bargain should be either
stripped of their ability to issue EV certs, or suffer brand
affiliation consequences.
But I think we're agreeing: the guidelines need teeth.
As someone else pointed out they get more insurance sending parcels or
if your UPS devices fail to protect equipment.
> I'm really only interested in points like the first three. If it's a
> market conspiracy, you can bet your bippy that the market will decide.
Just like it did with PKI already? :)
Sure. Which is why we're at $10 certs. The market decided that the CAs
weren't offering a service, and so they devalued the cost of that
service. I don't think such devaluation was a CA-inspired conspiracy!
:)
> [1]: In fact, I don't think that in the timeframe of Firefox 3 there
> will be any set of metadata which we'd use to declare "This website is
> safe", but I'm willing to be proven wrong so I don't want to overstate
> my position.
Will you take an interest in the security researchers that were trying
to help Mozilla out in the past (but mostly ignored or worst given the
run around)?
Not only will I, but I have been. I'm a member of the W3C Web Security
Context Working Group, the Anti Phishing Working Group, and while I'm
not planning to attend SOUPS this year, I know the lion's share of
people who are presenting there and have made contact with them all.
I'm not familiar with CACert or the "runaround" that you're
describing. Amir Hertzberg complained to me once that he didn't get
support from Mozilla, but when I asked him to describe what support he
asked for and from whom, he didn't respond. I'd like to unblock that
if I can, but that's for another thread.
cheers,
mike
--
/ mike beltzner / phenomenologist / mozilla corporation /
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
