If Mozilla starts including these kinds of policies, I would have to recommend against using mozilla to these friends. It's not worth trusting their life that some unvetted CA "got it right".
This goes back to my comment to Julien, if a government wants to intercept traffic issued by a CA they can either get certificates from an existing CA or setup and have their own CA vetted, there is no way I can think of that this would be easily detected in the case of countries piping all traffic via a single point, such as china and countries in Africa, the middle east and south america. Even a major telco in the area could perform this kind of man in the middle attack, all they'd need to do is setup a dummy company have it vetted and boom no problem at all with intercepting connections...
Vetted or unvetted I doubt PKI could prevent man in the middle attacks by any government that wanted to intercept traffic...
Basically PKI in this situation is not worth risking your life on and I'd suggest to your friend to use self signed certificates and verify the fingerprint by phone to the person that issues it and dump all other certificates from the browser used for communications...
Finally just for kicks we have the US government, who isn't really pushing it at present but was last decade to collect copies of keys in escrow... Maybe things will shift for the worst tomorrow and they may start pushing this agenda again, what does this do for security?
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
