Suggest another method of indepenently audited practices?
My personal thoughts on this are, if Mozilla is truly worried about security in this respect they should do their own auditing, after all it's their browsers reputation, even thought MS doesn't do their own auditing if a rogue CA ended up in their browser I doubt the press would put the blame on anyone else but MS.
You didn't speak to the liability issue.
Having the root certificate revoked I'd say would be a big liability for any CA, not to mentioned a sullied reputation.
Most mozilla users are UNAWARE of the EXISTENCE of CAs. They haven't read anything from CAs, much less any sugar coating.
Not true, they may not understand the connection of CAs, but they do understand the implications of warnings and the lock icon, and being told about how the lock symbol is "trustworthy"
Nowhere did I suggest that the mozilla organization should evaluate certs for purposes. I suggested that the mozilla browser software could enable users to choose for themselves which CAs they trust for purposes such as banking, but that this woudl require that the mozilla browser be able to determine which of the user's defined purposes was applicable to a particular action. How does the browser know if you're trying to do banking or not?
I doubt most people would care, they tend to be under the impression others would be better at making these decisions for them instead.
In the meantime, please help us establish the criteria.
More then happy to... It's in both of our interests as we're both developing polcies at present for similar reasons.
The bar needs to be set according to the security requirements of public trust. Being trusted as a CA is about being trusted and trustworthy, not about a pricing structure.
Basically my comment on this is about AIPCA, and the fact if they were souly relied upon to make decisions it excludes CAcert not due to technical or policy reasons but purely because at this stage we don't have the funds required to apply for their certification processes, so the only entry requirement we'd fail on is monetary.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
