relyea wrote:
>
> Ben Bucksch wrote:
>
> > Bob Lord wrote:
> >
> > > The browser isn't making an assertion about a web site; the issuer
> > > is. We'd like to give that information to the user. That will become
> > > more important as more CAs spring up.
> >
> > The browser vendor is making an assertion about the issuer. Only trusted
> > CAs should be included by default. Most users have no way to know, if an
> > issuer is trustworthy or not.
> >
> > BTW: What are the requirements for a CA having its certs shipped with
> > the browser?
>
> Very little. We aren't allowed to make any value judgements on the quality
> of a CA's certification process, or we take on the certification liability.
>
> CA's distinguish between themselves on the basically three basis 1) how
> widely trusted they are [what browsers/servers/applications trust them by
> default], 2) how trustworthy they are, and 3) how expensive they are.
>
> Traditionally 1 and 3 were primary, but as more and more CA's get trusted by
> default, 2 becomes a bigger issue.
Well, one of the requirements for a CA cert to be shipped in the Netscape
branded browser product is that the CA pay $$$$$$$. This weeds out the
ones who aren't serious.
--
Nelson Bolyard Sun / Netscape Alliance
Disclaimer: I speak for myself, not for Netscape
