<snip>This points out the difficulty of correctly analysing the threat model that is appropriate. Consider American credit card holders, versus non-Americans holding credit cards, as discussed recently here.
Which risk is a security modeller to pick? It's very tricky.
I have no idea how in general the threat model we are considering might vary based on the country in which the user is based, the country or countries in which the certificate holder are based, and so on. The best I can hope to do is to provide some rough guidance to whomever has to worry about this.
My initial thoughts on this are as follows:
1. The "typical user" to be considered in this context of this policy could vary from CA to CA, based on the composition of the customer base for the CA (i.e., the certificate holders) and/or the composition of the population of users who interact with those certificate holders.
Rationale: If, for example, we're considering a CA that is based in a particular country and issues certificates mainly to people and businesses in that country, and if the Mozilla users interacting with those certificate holders are also in that country, then there might be country-specific issues (like those mentioned for France) that would tend to make the threat model somewhat different than it would be otherwise. If this is the case then the "evaluators" can take this into account when deciding whether or not to include the CA's certificate.
2. By default (i.e., in the absence of other considerations that might lead us to do otherwise) we will consider "typical users" in the context of the environment in the US.
Rationale: The standard version of Mozilla released by the Mozilla Foundation also happens to serve as the "US-localized" version, and therefore it should take US-specific issues into account if and where that ever makes sense.
If for some reason a decision taken in a US context doesn't make sense for users in other countries, then people doing localized versions of Mozilla for those countries can be given leeway to make their own decisions. Thus, for example, if we include a particular CA's certificate in the standard (US-localized) version of Mozilla, and the people doing the "localized for France" version don't think this is a good idea (based on the situaton in France), then there's no reason in principle why they couldn't remove that CA's certificate from the France-localized version.
There's still the trademark issue, but I don't see why this couldn't be handled consistently with other localization-specific changes. For example, if the Mozilla Foundation allows the creators of the France-localized version to include, say, default links to French search engines, and still use official Mozilla logos, etc., then I don't see why the Mozilla Foundation wouldn't also let them make changes to the list of included CA certificates, if there are good reasons for such changes.
Frank
-- Frank Hecker hecker.org _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
