> It is erroneous to assume that such criteria would be the same for all > users of Mozilla (or any other "tool-class" software package).
But all users of Mozilla (as distributed by mozilla.org) get the same list. There is one list, and there is one criteria for that list.
> Consequently, the list must be implemented as a > "proposal only", subject to acceptance (and easy intervention) > by the end user. > > It is indicative that the designers of many crypto systems will > give the end user a choice of the algorithm. Choice of root > cert organizations is even more dependent on the "who can I > trust" question that only an individual user can decide.
mozilla has a certificate manager that allows users to add CAs, and add
or remove trust from CAs on the list. It has been estimated that
perhaps no more than 0.001% of all mozilla users have ever DISCOVERED
the cert manager. The rest all live with the built-in list of trusted CAs, exactly as it was shipped for the lifetime of the product on their system.
The built in list has to be chosen to be adequately secure for them.
> BTW, another thing that would significantly improve the security > model of all browsers would be a MO where the finger of the > site's public key is automatically displayed for confirmation.
Please start a separate thread about that suggestion, since it has nothing to do with trusting public CAs. I don't want it to derail this thread. Thanks.
> Roger
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
