Eddy Nigg wrote:
I'd like to pick this discussion up once again and evaluate what the
goals of Mozilla and the Mozilla CA policy really are. Certainly the
above is not the defined goal, but rather provide some reasonable
assurance about the CAs included in NSS and Mozilla products and allow
users to rely on
- domain name control validation for web sites
- email control validation for email
- identity or organization validation for code signing
- in case of EV, compliance to the EV guidelines
- sound physical and logical security, controls, business continuity and
other aspects as they are covered by the acceptable audit criterion
Unlike Ian, I'm not going to try to parse what "rely on" means. Leaving
that issue aside, I think the above is a reasonable summary of what the
Mozilla CA policy says. However as Ian notes, the above are not really
goals or ends in themselves, they're means to an end, namely to minimize
security risks to typical Mozilla users, trading off risks vs. benefits
in an approach consistent with that taken with other security-relevant
parts of the product.
So making trade-offs of various kinds is an inherent part of the CA
evaluation process. (For example, I think the security risks associated
with a non-EV CA are less than with an EV CA. Note that I don't mean
that non-EV certs are more "secure", I mean that as more and more major
ecommerce sites move to EV certificates any problems with CAs issuing
non-EV certs will be less likely to affect typical users.)
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
