On 10/09/2008 05:33 PM, Ian G: > > The goals of Mozo are written somewhere else, and they only speak > softly to the issue of security from memory
I obviously meant the goals of the Mozilla CA Policy and NSS, which isn't used only by Mozilla (Firefox) but lots of different software. NSS is a cryptography library. > I'd flag as wrong. If there was a goal to allow users to rely on > CAs, certificates, etc, then there would be a requirement to tie in > the reliance of the Mozilla end-user, and the relying party of the > CA, as described in the CPSs and as promoted by the PKI literature > as a key person who has to read the key document and enter into this > game called reliance. > > I'd suggest that Mozilla end-users, for the most part, in general, > are not relying parties. They may not rely on the certs, or they > are likely in for a surprise if they ever want to turn a failure > into a recovery. > > They might *use* the certificates, and then go on to rely in other > ways. And, they may go to the CA's website and find out what it > takes to become relying parties ... But these are different things. > I don't know in what business you are in, but in my industry digital certificates are issued to subscriber so they can provide them to third parties for them to rely on the certification, e.g. the third party relies on the certificate issued to the subscriber. Mozilla itself is a relying party and also makes sure on behalf of its users that CAs included with the software adhere to certain criterion. Those are defined in the Mozilla CA policy. Users certainly don't have to visit the CA websites in order to know that the CA adheres to the set requirements of the Mozilla CA Policy (at least). That's the whole point of shipping a set of CA certificates with the library. In order to understand CP/CPS of CAs a certain level of understanding about the subject is required, something which Mozilla does on the behalf of the user. Most users would fail with such an attempt. Maybe at Cacert one should find out at their web site about what it takes to become a relying party and perhaps one should better use other ways for reliance... ;-) ...but for most Relying Party Obligations I've seen the software takes care of it (e.g. revocation status checking, matching domain/email, validity of the certificate, etc.) > > However I would also raise a caution here: current Mozilla policy > is separated into EV and non-EV. I don't think this is written down > anywhere. Either way, the strength of the difference is such that I > do not believe it that the word "reasonable" applies any more. > Mainly EV provides a defined standard which applies to all CAs issuing under the EV guidelines; for CAs included in NSS it's the Mozilla CA policy (it might be more than that, but not less). Both are reasonable to the extend of what each provides. (Not that I believe that there could have been other ways achieving that and better, but that's another story) > E.g., if EV was "reasonable" then the DV/AV, etc should be turned > off as being "not reasonable". If the latter was "reasonable" then > we don't need EV. QED. DV doesn't claim to provide EV - but not everybody needs EV either, DV many times is sufficient. It's not either EV or DV, but it depends. Incidentally there are other shades as well, such as object code requiring IV/OV and it has been suggested that wild card certificates should be IV/OV too. There might be others... > > "provide a *reasonable* level of assurance that is appropriate > to the user's needs, and is matched by the > software's security and UI." > I think I could sign on this one. The devil is in the details and the definition of the above... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
