Frank,
I think you have just opened a big can of worms with this Certificate
policy.
- It should be called a Mozilla Certificate authority policy, not
Certificate policy. I don't think there is any plan to include any
non-CA certificates.
- I think the term "default certificate database" is somewhat ambiguous.
Technically, there is a built-in PKCS#11 module containing a database of
root certificates and trust. This module is separate from the
certificate database associated with each Mozilla profile. In fact, the
root certs module/database can be removed by the user altogether and
security in Mozilla can continue to function without it. I just had to
point that out. The CA certs don't get added to the profile certificate
database, unless their trust is modified.
- I am not a lawyer, but I really think you are underestimating the
liability issues for the foundation if it chooses to select
certificates. Has the Mozilla Foundation hired a lawyer to look at the
issue to make a determination of the liability risks the security policy
exposes the Foundation to, or is the Foundation in the process of hiring
one ? I would love to be wrong, but I think this is definitely something
that needs to be looked at by a lawyer, because it's the sort of thing
that could take down the foundation if not done very carefully. Just
because Mozilla has a legal disclaimer does not mean that you won't be
sued. Commercial software comes with plenty of disclaimers, too.
- As the (soon-to-be-former) AOL/Netscape employee who has been doing
most of the check-ins to the built-in root certs for NSS in recent
years, I know I would not feel comfortable at all with a policy that is
so arbitrary and void of verifiable objective criteria - section 4.1 in
particular.
- The current official certifications for commercial CAs such as
WebTrust are extensive and expensive. They don't match 1 to 1 with the
spirit of the Mozilla foundation, in that they may be overly restrictive
on who can join the party. So they shouldn't be a sine qua non condition
for inclusion.
- Most users don't understand PKI security and are not able to make CA
certificate trust decisions. And it would be indeed laughable to except
them to be able to do so with a pop-up that simply shows a few fields in
the certificate. Ever tried to verify a root CA certificate just by
looking its contents ? What did you do, call a company's 800 number and
check the fingerprint and public key to make sure it matched ? The point
is, you need an external source of trust to help with the decision.
There is no one-size-fits-all list of trusted CAs. That's why trust is
editable, and not static. People are using Mozilla in diverse
environments. I personally use Mozilla as if it were commercial
software, for personal needs such as banking, and wouldn't expect it to
include MyFriendlyNonProfitCAWhoCan'tAffordWebTrust, Joe'sPersonalCA, or
MilitarySecretCA.
In the later two cases, the end-users are savvy enough to install the
certificates themselves, before they actually start to use them (ie.
long before the browser pops-up an "unknown CA - do you want to trust
it?" pop-up).
You on the other hand might want to use
MyFriendlyNonProfitCAWhoCan'tAffordWebTrust without being presented a
trust pop-up that is very hard to act upon.
Unfortunately, I don't know of any organization that will vouch for CAs
in the MyFriendlyNonProfitCAWhoCan'tAffordWebTrust category, but it
sounds like that's what you need here. I don't think it can or should be
the Mozilla foundation itself doing it through its policy.
I also don't think they should be blanket included together with all the
commercial CAs that passed a certification.
I think MF should defer to such a CA verification organization when one
is created. When it does, these CA certs can be compiled into a separate
PKCS#11 module containing only certificates CAs in this category.
The Mozilla browser could then prompt the user for the security policy
he wants to adopt when creating his profile : there could be a checkbox
for the commercial CAs, which would basically be the current built-in
module, and another checkbox for
MyFriendlyNonProfitCAWhoCan'tAffordWebTrustCAs(for lack of a better
term) who did not go through the WebTrust (or other) commercial
certification required to be included in the first group.
The effect of each checkbox would be to load or not load a given PKCS#11
modules containing a set of trusted CA certificates. 0, 1, 2 or n
PKCS#11 modules containing trusted CA certificates can be loaded in
Mozilla in any one profile.
This way, the user makes the decision of which CAs he trusts on a
rational basis when creating his profile with a question that he can answer.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
- Re: Proposed MF certificate policy and F... Nelson Bolyard
- Re: Proposed MF certificate policy a... Duane
- Re: Proposed MF certificate pol... Nelson Bolyard
- Re: Proposed MF certificate... Duane
- Re: Proposed MF certificate... Jean-Marc Desperrier
- Re: Proposed MF certificate... Duane
- Re: Proposed MF certificate... Scott Rea
- Re: Proposed MF certificate... Scott Rea
- Re: Proposed MF certificate... Duane
- Re: Proposed MF certificate... Nelson B
- Re: Proposed MF certificate policy and FAQ Julien Pierre
- Re: Proposed MF certificate policy and FAQ Duane
- Re: Proposed MF certificate policy and FAQ Frank Hecker
- Re: Proposed MF certificate policy and FAQ Julien Pierre
- Re: Proposed MF certificate policy and FAQ Duane
- Re: Proposed MF certificate policy and F... David Ross
- Re: Proposed MF certificate policy a... Duane
- Re: Proposed MF certificate pol... David Ross
- Re: Proposed MF certificate... Julien Pierre
