On Tue, Jan 1, 2013 at 9:49 PM, Michael Mol <mike...@gmail.com> wrote: > On Tue, Jan 1, 2013 at 9:37 PM, Benjamin Peterson <benja...@python.org> wrote: >> Michael Mol <mikemol <at> gmail.com> writes: >>> On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc <at> gentoo.org> wrote: >>> > Speaking of which, say what you will about Mozilla's broken criteria >>> > for root inclusion, but Mozilla has no commercial interests, >>> >>> Wait, what? How does taking income during a process not constitute a >>> commercial interest? >> >> There seems to be some confusion about Mozilla's cert inclusion process. >> Mozilla >> does not make any money by including CA certificates. Per its own policy [1], >> "We will not charge any fees to have a CA's certificate(s) distributed with >> our >> software products." >> >> [1] >> https://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html > > Fair enough. I took Rich's email as an indication they did.
To be trusted by Mozilla you do indeed need to pay substantial sums of money (in almost all cases), but you don't actually pay them to Mozilla. Typically you pay them to an auditor who specializes in such things, such as webtrust. The fact that they don't even publish their fees tells you all you need to know - I've heard they are in the neighborhood of $10k. My concern is that the approach chosen by Mozilla (and most other software distributions produced by large corporations) is mostly about having lots of paperwork and audting, and is not about actual security. If a certificate authority has a pile of paperwork saying they operate one way, it won't stop them from issuing certificates to the NSA or whoever if they get a national security letter, or the equivalent in one of the 400 other jurisdictions that these companies reside in (many of which make the Patriot Act seem quite tame). And that is just considering cases where the CA cooperates with legal authorities. Factor in incompetence and just about anything can happen. Incompetence happens in industries that have heavy government scrutiny, such as in pharmaceuticals and aircraft maintenance. Certificate authorities are almost completely unregulated in comparison. Basically the whole system is one big CYA maneuver. DNSSEC is far more promising as a certificate distribution system, and the legacy SSL system really is just standing in the way. Rich