> All (or nearly all) the embedded roots entered the list back while the > list was exclusively controlled by Netscape.
When I speak of historical root stores, I must admit that I am using IE as the reference point (wince), which at one time had nearly half a dozen academic roots in Spain alone. In addition to using WebTrust as the credential to admit new CAs, Microsoft has also set up a timeframe for existing CAs in the root to seek WebTrust accreditation. > Increasingly used for security? They were always used that way. Certs have always been used for privacy. But as the various e-commerce laws mature, digital signatures are being used for the first time in meaningful ways and volumes. For this, WebTrust-type standards are key. > BTW, I recently read that Opera also uses the method of charging for > admission as their selection criteria. Opera does charge a spurious "testing" fee to be added to the browser -- the contract however is very light and does not address liability. It's a cheesy approach. Mozilla may not have rec'd many requests for insertion in the store because the process has not been clear -- most CAs have figured out workarounds such as root injectors or localised browsers distributed with an ISP. Often they have a key client (ie Government) which can "force" users to add the root. Over time they cover the market -- it's painful but that's life. > If you are merely calling for the standards to be held high, I fully > support that call. Absolutely -- there's a role for trash certs (privacy etc) -- but authentication has to be well done to be of any use. > I see a significant percentage of non-US CAs. > (Count the CAs, rather than the certs). Verisign and Thawte are the same. BeTrusted (US) owns GTE CyberTrust, Baltimore, and TC TrustCentre. Identrus owns the DST roots. There is massive US control there ... and there is a large array of int'l CAs that is not represented. I won't bore you with the lists ... but pretty much every significant country has at least one commercial provider of PKI now. If you set a clear standard and process, I am confident that you will have many intl CA's -- with WebTrust -- come a knockin. I've got nothing against university CAs -- there is some great stuff going on at Dartmouth and other schools that is advancing PKI and lowering the costs of deployment. However, the fact is that most business and government PKI activity is outsourced to commercial CA providers -- and the browsers currently funnel business to the few giants. Most CAs are willing to go through the WebTrust -- because it makes sense for our clients and our users. But it doesn't help much if you can prove that your standards are high, and your service is great, but you still have to explain that users will have to install your root vs VeriSign which is on every computer since creation ... (insert rant here). "Nelson B" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Stephen Davidson wrote: > > > I strongly support these comments from Frank Hecker and David Ross. Early > > versions of browsers included CA certs on a casual basis; many of the > > embedded roots were operated by universities simply because there weren't > > any others. > > That's a curious statement, and doesn't match my own knowledge of the > subject (unless you're referring to browsers other than Netscape/mozilla). > I've been a Netscape/mozilla SSL/crypto developer for about 7.5 years. > > All (or nearly all) the embedded roots entered the list back while the > list was exclusively controlled by Netscape. They come from CAs who > PAID substantial sums for the privilege. The rationale was that in the > abnsense of any good way to separate the good CAs from the bad, simply > charging big $$ would eliminate most of the CAs who didn't have the > resources to do the job well. Also, by charging a "non-recurring > engineering fee" for admission, legally Netscape was not passing > judgement on the worthiness of the CAs in that list, and hence Netscape > avoided liability for those CAs' actions (or so the lawyers asserted). > And unpopular though that approach may be with home-grown CAs, it worked > pretty well, in my judgement, as witnessed by the fact that there have > been extremely few major gaffes made by the CAs in that list, and NONE > so bad that consensus formed to remove the offending CAs from the list. > > BTW, I recently read that Opera also uses the method of charging for > admission as their selection criteria. > > > However, digital certificates are increasingly used as the > > basis for security and privacy and to conduct business > > Increasingly? They were always used that way. Unless you're talking > about PGP, which is not part of any mozilla/netscape browser. > > > and the standards used by the CA are very important. > > > > Mozilla takes standards seriously; but in the case of PKI, adherence to > > technology standards is not enough. For example, a certificate from my > > "snake oil CA" will work as smoothly as one from Verisign or Go Daddy. The > > difference is in the authentication and operational standards used by the CA > > backing up the certificates. Technology standards make certificates work, > > the business standards make them useful. > > You seem to be suggesting that you think the existing CAs have not been > held to (or rather, have not met) high enough standards. Yet I observe > that most of the people participating in this discussion are calling for > LOWERED standards. The recent rallying cry was "we're non-profit and > low cost, and that should qualify us." > > If you are merely calling for the standards to be held high, I fully > support that call. > > > Current browser CA cert stores reflect a bias towards "old internet" -- > > they are dominated by Verisign (and its Thawte division) and a wild mix of > > university/government owned CA certs (many of which are derelict). > > That's an interesting statement. Can you support it? > It doesn't match what I see in my own mozilla browser's list of root CAs, > including the 64 roots in the "builtin Object Token", and the similar > number that I've accumulated from past trust lists. > > I see a significant percentage of non-US CAs. > (Count the CAs, rather than the certs). > > It's true tht Verisign alone has more roots than any other single CA, > (having about 1/6 of the certs in the list) but second place goes to > GTE CyberTrust, and third place goes to "TC Trust Center of Security in > Data Networks Gmbh" in Germany. I see 11 CAs with 4 or more root certs > each. > > And when you count each CA once, rather than once for each of their > root CA certs, no CA dominates. > > I only see 6 certs that might be tied to universities. > Being University owned doesn't bother me. Stanford University owns > businesses that I would readily trust. Being university RUN (e.g. by > staff or students in the computer science department) DOES bother me. > Indeed, university run CAs whose certs don't meet the standards have > been an ongoing cause of pain for mozilla developers and users alike. > But I only see a few CAs that potentially fall into that category. > > > They are globally embedded simply by virtue of being old -- > > And they are old (in the case of Netscape/mozilla) simply because > the number of requests for admission to Netscape's root list fell off > very sharply. IOW, most of the newer CAs never applied for admission > while Netscape ran it (or even to this day, BTW). > > > but the bias is definately North American. > > The same could be said of the entire high-tech computer industry. > Most of the activity happens in North America. So, the situation in > the root list is only representative of the world at large, IMO. > > > But today, around the world there are many national CAs as well as > > commercial providers (my own company included) that are moving adoption of > > PKI/digital certificates forward. > > AFAIK, no national CA who has applied has ever been denied (but I'm > not aware of *all* applications, so I could be wrong). > > > Mozilla needs to adopt a policy and a process to allow these players > > a clear goal and path for inclusion. > > I think that's the one statement with which all readers here agree. > > > I think it would be a mistake to "roll your own standard" for Mozilla; the > > reponsible providers of CA services already bear a significant security > > compliance burden. > > Should we conclude that CAs without a significant compliance burden are > irresponsible? :) I ask that because I think a significant percentage > of the present applicants have little or no present compliance burden. > > > The commercial providers are gravitating towards > > WebTrust because it includes many of the procedures that our clients > > typically require of us. We can do one large audit instead of many partial > > ones. > > The idea of a small number of parties, such as WebTrust, who will do > the job of vetting CA practices for the community of browser producers > (and producers of other SSL and SMIME clients) is very atractive. However, > with respect to WebTrust in particular, there are several objections that > have been raised that have resonated with the mozilla crypto community. > Perhaps I will write more about those ojections in a subsequent followup > message. (You might find them in archives of this newsgroup.) > > > Mozilla can't take on the process of being the arbiter of good in the CA > > business > > I agree with that statement. But you and I are in the minority on that > view, I think. > > > I think that the Microsoft policy for CA certs is sound: > > I concur. It helps MS avoid liability, because they (MS) rely on > WebTrust's evaluation, rather than on their own. And MS doesn't have > to devote much staff to the process, because it's mostly done by webtrust. > And it makes sense for MS, since MS is not trying to cater to the market > of software consumers who want to pay nothing for their software, nor > for any of the services (such as cert issuance) they use. > > > Apple appears to have a slightly different policy, which is that if a CA is > > accredited or regulated in their home country, then they should be included > > in the OS. > > Taking that stance, however, just adds another level of indirection to > the problem. Now, you need someone to operate "NationTrust", that is, > someone who can tell you which countries are sufficiently free of > corruption that they can be trusted to only accredit good CAs. > Would you trust a CA in Haiti or Columbia or Afganistan? > > > Regards, Stephen > > www.quovadis.bm > > -- > Nelson B > _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
