David Ross said: > Stephen Davidson wrote [in part]: > > > > Apple appears to have a slightly different policy, which is that if a CA is > > accredited or regulated in their home country, then they should be included > > in the OS. > > I have a problem with this. Some nations are rife with corruption > and fraud. For example, would you trust a CA certified by > Nigeria?
David does raise the difficult issue in all this. He wants a certain quality standard imposed over well known unruly peoples, such as Nigerians, which are the source of most 401 scams (indeed, the 401 scam is named after the section in the Nigerian code, or some such.) Yet, how are the Nigerians to deal with this? Are they damned for all time? Or could they could set up their own CA and have their government audit it and ensure its security, in order to tackle the very frauds that bedevil the Nigerian reputation. (As an anecdote, I'm involved with a conference in payments and security, and, so far, by far the most registrants are Nigerians ... Now, is this a bona fide effort to increase payments security? Or, is it an attempt to weasel a letter of invite so they they can get a visa? As the credit cards these guys are providing aren't in their names, I'm betting on the latter!) Either way, a CA from Nigeria, authenticated by the goverment there, could be bad. Or good. Tricky to say without some more work. Meanwhile, it seems that Microsoft has another solution - shift the burden across to an independent audit standard. Is that good? Depends on the standard. Depends on the auditors. Depends on Microsoft. Depends on the money... We've seen plenty of commentary, and to my mind, it all seems to come down to ... it depends! I don't think it's possible to say that Microsoft's method will always be good, or Opera's or Netscape's. Or that Nigerians are all bad. Or, any other group, either. The audit process does have some bad points. The independent audit will probably knock out CAs like CACert. It's just too darn expensive. Then, there will be CAs who can afford it, and they will be very happy to make sure that it is hard to do, and expensive, simply because that's one easy way to reduce competition. Will it do its job? Tricky to say. On the one hand, we have the supposed claim of high quality. On the other hand, we have the loss of faith in general audits over the last few years. OT3H, the expense of the audit process (and the expense of the whole CA thing) does sit rather oddly with the whole reason, foundation and spirit of the Internet. One thing that audits *do* achieve (observably) is that they reduce competition on qaulity. That is, if everyone who can play has to have an external audit, then there is no incentive to do any more than the audit requires, and only a sufficient incentive to do just enough to pass the audit. "We are audited by BlahBlahTrustBlah!" is the beginning, middle, and the end of the security story. This is the trap that the financial markets are in. As regulation is so stringent and so overwhelming, the notion of competing on the quality of governance is totally lost to the financial side of the markets. I.e., everyone does what is required and no more. Partly because there isn't any room to move from the regulations, and partly because nobody rewards anyone for anything more than a standard audit. (Oh, and real security observations are punished. If one criticises an audited firm, one is rounded upon for treating the regulators, the auditors, and the whole darn system as if it was anything less than ordained from on high.) Some people have handed over their "trust" to auditors, which is why they were shocked, simply shocked, when Arthur Anderson failed. US Congressmen were appalled, simply appalled that their trust could be abused, so Messrs Sarbanes & Oxley fixed it with more regulation, more rules, more punishment, more audits, and ... less security. (David points out, that is finance, and this is process! With respect, no, it's audits. There is no difference between what is audited. The rot that is in the audits is there for either. You pays your money, and you gets your audit. If you pay enough money to your auditor, you can get him to say what you want. You don't, and he'll say what he wants.) Which is a bit of a criticism against audits. In biz speak, this is called *shifting the burden*. That's the name for when we've created some smoke-and-mirrors solution that sounds good, but just moves the problems from the left to the right. Are the audits any good? Who knows. I say not, others say yes. I'd have more faith in a Nigerian CA if I knew something about it, than some unknown cert with an unknown CA. If I don't know who the CA is, to me, it's a dead issue. That's because I've seen too many audits and/or auditors, and/or a few CAs, that were jokes at best, or frauds at worst. Back to Mozilla and its CA policy. How to get out of this mess? Well, the current HTTPS arrangement - the structure, the design, the architecture - is broken. In many ways, but one particular way, and that is that *all* CAs are treated equal. In this context, the CA policy is doomed, unless this weakness of the HTTPS CA implementation is taken into account. "All CAs are equal" simply cannot work in a security framework. It makes no business sense, as businesses and people don't trust Nigerian government the same way they trust Arthur Anderson. And, it makes no security sense to shift the burden from "untrusted but individual merchants" to "group of CAs trusted by global fiat." Hence, the suggestion (by many) that we need to stop treating the CA as a commodity. And start treating it as a business: With reputation, brand, and an ability to suffer in the marketplace if they muck up. Separate out the CAs. If that is done - if the user gets to see the CA when on the SSL-protected site - the users can do the rest (with a lot of help from the market...). If they can't, no policy by Mozilla, or Microsoft, or any one else (DHS, pay attention!) is going to make it worth the effort. (Which is fundamentally why people call for *lowered* standards, because they recognise that high standards don't deliver, so let's save some money.) Without being able to separate out CAs, it really doesn't matter what policy is picked - one CA as good as the next so it's a crap shoot. All quality becomes the same. Too good for some, and too bad for others, so, the last thing it is, is quality. Without CA branding, CA policy is just a (nother) barrier. Until CAs become known - in users' faces - and punishable for delitos, then no amount of auditing will help any. But, it might raise prices and shut out better players and more secure solutions. With CA branding, CA auditing becomes a competitive tool for (some) CAs to compete with. That might be a good thing, and the market will decide. But without branding, CA audits have nothing. iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
