Hi Mister Charter77,
[EMAIL PROTECTED] wrote:
Currently the UI is the same for all SSL, no matter the
quality. You are proposing to use the UI to differentiate between
grades of SSL ...
Fist of all the proposal tries to structure and define SSL certificates
in the Mozilla CA policy first and foremost, about something which is
common practice. It nowhere says how, if and when the UI should
differentiate.
then you better be sure the cert quality matches up
to the UI representation. If Moz is saying "this cert is X" then Moz
needs to be sure it really is X.
I think, this is certainly worth to think about! First of all, I suggest
that Mozilla shouldn't "say" anything as its own opinion - this from a
legal point of view. However I do suggest, that the browser _presents
the information of the CA as that of the issuer of the certificate_.
There is a difference between the two! Certainly Mozilla shouldn't
suggest that a certificate is this or that "safe", but provide an
indication about the claims of the CA. This will be certainly an
interesting challenge anyway - which is also true for the EV proposal.
You can't leave the grading or the
compliance up to the CAs.
I think it should. Because Mozilla doesn't have any control over it in
any case! Not today, not with EV and not with this proposal! Compliance
is not something Mozilla controls! Never! (Except in case Mozilla starts
and operates its own CA)
By letting the CA assign the level and comply to the proposed Mozilla
policy extension, the CA retains full responsibility and is liable for
its promises. Assigning a certificate to a certain level is a promise to
the relying parties, the very same way, it has defined the policy and
practices of the CA which is the legal framework between all parties
involved. It remains the same promise, just with the addition, that it
assigned an OID and appropriate level to its certificates according. The
promise, responsibility and liability is that of the CA always!
Therefore I'm asking, why should Mozilla take over the promise,
responsibility and liability of the CA, by "making sure" anything of it?
Let the CA decide "its promise" to Mozilla, the subscriber and relying
party and let the CA retain all responsibilities. Mozilla only provides
an interface for the "promises".
Hope this makes sense!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
