Eddy Nigg (StartCom Ltd.) wrote:
Level 0: Nothing really, except it's your personal site and nobody else
has access to it.
<snip the other four levels>
So you have made suggestions about the different uses for the five
levels. That's great - but it means that all of those distinctions must
be present in the UI. Because if they aren't, then one of the following
two things will happen:
- Someone will buy a level X cert, but the UI will say it's the same as
level X - 1, and so they will be upset that they've wasted money
or
- Someone will buy a level X cert, but the UI will say it's the same as
level X + 1, and there's a security problem
Neither is good. Yet five levels is complex to indicate.
- The Mozilla CA policy will be extended to include the definition of
the various levels.
- The CAs assign the various verification procedures to the appropriate
level.
- Mozilla writes loads of code to detect each different type of CA
certificate and make sure that NSS knows what level it corresponds to
(or are we doing that bit by asking the CAs to include new OIDs?)
- The CA has to live up to the promise made, e.g. the level it assigned
to the certificate.
- Should the CA have failed to adhere to the promise, do XYZ (which
still has to be defined in any case. Completely missing or irrelevant
from current policy).
Actually, it's rather important. If there's no reasonable sanction we
can take against the CA, then the policy has no teeth. This is a problem
today. We can't really yank Verisign's root if they "misbehave", because
half the SSL web would break. EV addresses this problem too; you can
just remove the EV status from a root, changing it back to "normal" SSL.
Nothing breaks; you just don't get the extra UI.
However there is another thing which I'd like to mention and suggest
adjustment of the policy and CA inclusion process: As of today, CAs
don't have to make any commitment concerning adherence to the Mozilla CA
policy and doesn't have to sign anything. I think this is "interesting"
to say the least. I suggest to let CAs sign the Mozilla CA and a
statement like: "By requesting a CA certificate to be embedded in
Mozilla software, the CA agrees to adhere to the this policy in full..."
and confirm to have read, understood etc. of the same paper...Something
for the lawyers obviously, but I think it has to be done in some way.
Definitely something for the lawyers, in that it would fundamentally
change the relationship between CA and browser. Currently, we have no
contract, and so no obligation to continue including the cert. A
contract would probably have commitments both ways, implied if not explicit.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
