"Nelson B. Bolyard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > (Disclaimer: I am not a lawyer. This is my opinion. I'm not speaking for > Netscape, AOL, mozilla, or anyone else but me.) > > There is a certain amount of liability associated with putting a root CA > cert into a browser and making it trusted. Users put their trust into > any and all web sites that manage to get the lock icon locked without > overriding security. If a "rogue" CA's cert is put into their browser, > their trust may be abused, and they may have (in some countries) cause > against the supplier of their browser software.
"Under WebTrust for CAs, each Certification Authority must be independently examined, or "audited," by an independent and qualified auditor." Why not use this as a criteria? This is what it takes to get into IE root store (and stay there), btw. Currently IE has more users than Mozilla, so many CAs will go through the WebTrust audit. The cost of the audit may range from $75,000 to $250,000 (annual cost is much lower). I'm not sure CA's are willing to invest $150,000 on top of the audit cost. So many CA's will just skip Mozilla/Ntescape and recommend IE or Opera. About WebTrust: http://www.webtrust.org/certauth.htm regards, -Jyrki Nivala > > -- > Nelson Bolyard (speaking only for myself)
