Nelson B wrote: > You seem to be suggesting that you think the existing CAs have not been > held to (or rather, have not met) high enough standards. Yet I observe > that most of the people participating in this discussion are calling for > LOWERED standards.
This is a confusing area - and yes, we should agree that people are calling for LOWERED standards. That's because those people (perhaps only myself!) suggest that the standards are working against security. Thus, a call for lowered standards is a call for HIGHER security. We can show this empirically. If you look on the stats page for cert numbers, it is pretty clear that certs have failed to enter into the mass market, there are a relatively tiny 166k certs out there in web sites [1]. Even within this small body for certs users, there is a fairly high level of poor usage, by the standards of the cert suppliers, something well in excess of 50%, see the last table. That means that well in excess of 99% of the traffic is being denied the protection of crypto. I did a straw poll via google (unscientifically) and found that something like 10% of the merchants out there are not using any SSL at all. Probably, this is because it is too expensive (in all terms) to your average small merchant. Of course, someone who's a non-cc-merchant is much more likely to be not using SSL, even if they are trading in personal and other sensitive information. On own commercial terms, cert sales are a disaster. We've got how many CAs squabbling over soemthing less than 100k sales per annum, after a decade? And, to boot, the security within the cert users is rather spotty - not worth paying for - and under increasing threat. So, yes, just on the basis of cost alone, any increase in the raw number of certs out there will increase the security. And one way to do it is to lower the standard for getting certificates. I for one don't see that as a bad thing - I prefer to use standards to help me and others, not have standards use me for their own arcane purposes. (Oddly enough, all of the other proposals made by myself and others will improve the fortunes of CA sellers dramatically, upwards! But, that's a side effect of the move to a real market from the current artificial structure; most of us calling for lowered standards are interested in the user base out there, not the CA cert sellers.) > The recent rallying cry was "we're non-profit and > low cost, and that should qualify us." It is unclear who Mozilla serves. Hence discussions on charities (not) and non-profits (is). Who is the constituency? To my mind, Mozilla serves two constituencies: users and developers. It does not serve CAs. Nor auditing firms. That's very important to establish because any policy can be then measured on whether it helps those users (and developers). And, CAs, not so. There is no necessary implication that Mozilla should be "fair" to all CAs. They exist to serve Mozilla, and its users, not the other way around. There is nothing wrong with, for example, deciding that Verisign is the *only* CA to be root'd. If that assists the users, as against any other choice, that is. (A sole source agreement clearly makes things easier for developers!) Question is, what assists the users? I say, more SSL. How do we get more SSL? More certs. For that, we should lower standards, as above, and let more CAs in. iang [1] http://www.securityspace.com/s_survey/sdata/200402/certca.html _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
