I strongly support these comments from Frank Hecker and David Ross. Early versions of browsers included CA certs on a casual basis; many of the embedded roots were operated by universities simply because there weren't any others. However, digital certificates are increasingly used as the basis for security and privacy and to conduct business and the standards used by the CA are very important.
Mozilla takes standards seriously; but in the case of PKI, adherence to technology standards is not enough. For example, a certificate from my "snake oil CA" will work as smoothly as one from Verisign or Go Daddy. The difference is in the authentication and operational standards used by the CA backing up the certificates. Technology standards make certificates work, the business standards make them useful. Current browser CA cert stores reflect a bias towards "old internet" -- they are dominated by Verisign (and its Thawte division) and a wild mix of university/government owned CA certs (many of which are derelict). They are globally embedded simply by virtue of being old -- but the bias is definately North American. Certs are expensive simply because only a few CAs have global embedded roots -- they are sitting on a controlled commodity. But today, around the world there are many national CAs as well as commercial providers (my own company included) that are moving adoption of PKI/digital certificates forward. Mozilla needs to adopt a policy and a process to allow these players a clear goal and path for inclusion. Mozilla is global; making the process transparent is the only way to ensure inclusion of CA certs from around the world to consistent standards. More quality CAs = competition, reduced cost to users, and more certificates issued. I think it would be a mistake to "roll your own standard" for Mozilla; the reponsible providers of CA services already bear a significant security compliance burden. The commercial providers are gravitating towards WebTrust because it includes many of the procedures that our clients typically require of us. We can do one large audit instead of many partial ones. Mozilla can't take on the process of being the arbiter of good in the CA business -- you want to enable certs so your users can do more with the browser. You need to select a standard and process that fairly allows CAs in, while managing the Mozillas team's time so they can focus on their speciality ... browser evolution. I think that the Microsoft policy for CA certs is sound: http://www.microsoft.com/technet/se...s/rootcert.mspx. Like Mozilla they were bombarded by requests and constituencies and needed to choose an independent standard: "Certification authority (CA) providers are required to complete a WebTrust for Certification Authorities audit or provide an equivalent third-party attestation. For more information about the WebTrust for Certification Authorities program sponsored by The American Institute for Certified Public Accountant's (AICPA) or to obtain a copy of the criteria, see http://www.webtrust.org/certauth.htm If you have received an audit from a different program, that is, not the WebTrust for CAs, the burden is on the CA to prove equivalency to WebTrust for CAs." Apple appears to have a slightly different policy, which is that if a CA is accredited or regulated in their home country, then they should be included in the OS. Regards, Stephen www.quovadis.bm "David Ross" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Frank Hecker wrote [in part]: > > > > In an earlier message I promised to create a "metapolicy" that would > > explain and clarify the philosophy behind the proposed CA certificate > > policy. Among other things, this will help guide me in creating the next > > version of the proposed policy, and some if not all of this material > > will also show up in the rationales section of the FAQ. (In the FAQ I'll > > probably just call this the philosophy behind the policy, after David > > Ross, but for now I can't resist the coolness factor of "metapolicy".) > > [snipped] > > > 18. Any decisions made related to a CA certificate being included in > > Mozilla should be publicized in a manner consistent with other matters > > of interest to Mozilla users, including matters relating to > > security-related bugs. Possible channels for this include the Mozilla > > release notes, special areas on the mozilla.org web site, and the like. > > A specific Web page should be created for this information. For > each CA certificate, the following information should be provided > (using Hecker's broad definition of "Mozilla"): > > * certificate name as seen in the Certificate Manager window > > * link to the CA home page > > * Mozilla version in which this certificate was added to the > database > > * a link to a Mozilla.org page from which this certificate may be > imported into older Mozilla versions > > * criteria used for approving the certificate for inclusion in the > database > > * the default purposes for which the certificate was included in > the database > > Further, if a certificate is removed from the database (per > metapolicy #19), this Web page should indicate that fact so that > certificates in older versions of Mozilla can be disabled or > removed by their users. > > -- > > David E. Ross > <http://www.rossde.com/> > > I use Mozilla as my Web browser because I want a browser that > complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
