Duane wrote:
>> Suggest another method of indepenently audited practices.
>
> My personal thoughts on this are, if Mozilla is truly worried about
> security in this respect they should do their own auditing, after all
> it's their browsers reputation, even thought MS doesn't do their own
> auditing if a rogue CA ended up in their browser I doubt the press would
> put the blame on anyone else but MS.
>
>> You didn't speak to the liability issue.
>
> Having the root certificate revoked I'd say would be a big liability for
> any CA, not to mentioned a sullied reputation.
Apparently I have not made the liablity issue clear, so let me try to
explain it better than I previously have.
If mozilla.org or Mozilla Foundation (whom I'll call MF, to distinguish
from the mozilla browser) gets into the business of choosing its own
set of who's in and who's out, as opposed to relying on some third party
such as AICPA (hey, does Australia have its own equivalent of AICPA?),
then the following scenario might occur:
mozilla lets CA-X into the list. CA-X creates falsified certs for certain
banks, thereby allowing undetecteable Man-in-the-middle attacks against
SSL for customers of those banks. Lots of users of those banks end up
going to a server that is a false server for their favorite bank, and
their bank accounts get cleaned out. There's a lot of them and they sure
wanna sue SOMEBODY. So, after a little digging, they sue mozilla.org.
They say "you told us that the certs from CA-X were trustworthy, but they
were not.".
Now if mozilla can say, "We relied entirely on the answers from AICPA",
then maybe mozilla can dodge the bullet. Otherwise, mozilla loses
their shirt. The laws may be different in Australia, of course, and I
am not a lawyer in any country, but the reason most lawyers over here
are so thin is due to all the time they spend running from liability. :)
It is widely believed that the reason that Microsoft relies on webtrust
is precisely so that they can pass all liability through to webtrust.
I suspect mozilla's lawyers will decide this is a case where passing
off liability is a good idea.
>> Most mozilla users are UNAWARE of the EXISTENCE of CAs. They haven't
>> read anything from CAs, much less any sugar coating.
>
> Not true, they may not understand the connection of CAs, but they do
> understand the implications of warnings and the lock icon, and being
> told about how the lock symbol is "trustworthy"
Well, I've been developing crypto code in netscape/mozilla and supporting
their users for 7+ years, and I think I know what I'm talking about.
People who need a cert (such as 100% of your clientelle) know about CAs.
The average user who buys something on the web can't even spell CA. :)
>> The bar needs to be set according to the security requirements of public
>> trust. Being trusted as a CA is about being trusted and trustworthy, not
>> about a pricing structure.
>
> Basically my comment on this is about AIPCA, and the fact if they were
> souly relied upon to make decisions it excludes CAcert not due to
> technical or policy reasons but purely because at this stage we don't
> have the funds required to apply for their certification processes, so
> the only entry requirement we'd fail on is monetary.
Yes, and I think that situation is unfortunate. I wish it were otherwise.
But *if* MF decides that they must rely on AICPA/WebTrust for the same
reason that Microsoft allegedly does, then well ... darn!
But you'll notice that I am pushing both sides of the issue. Whether MF
decides to adopt AICPA answers or decides to make up their own, I am
pushing for good secure answers in both cases.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
