Ben Bucksch wrote:
> Bob Lord wrote:
>
> > The browser isn't making an assertion about a web site; the issuer
> > is. We'd like to give that information to the user. That will become
> > more important as more CAs spring up.
>
> The browser vendor is making an assertion about the issuer. Only trusted
> CAs should be included by default. Most users have no way to know, if an
> issuer is trustworthy or not.
>
> BTW: What are the requirements for a CA having its certs shipped with
> the browser?
Very little. We aren't allowed to make any value judgements on the quality
of a CA's certification process, or we take on the certification liability.
CA's distinguish between themselves on the basically three basis 1) how
widely trusted they are [what browsers/servers/applications trust them by
default], 2) how trustworthy they are, and 3) how expensive they are.
Traditionally 1 and 3 were primary, but as more and more CA's get trusted by
default, 2 becomes a bigger issue.
