Frank Hecker wrote: > > Frank Hecker wrote: > > > I've posted a new version of the "policy details" section of the CA > > certificate that discusses CA-related risks/threats and the evaluation > > criteria for CAs intended to address those risks/threats. The new > > material is confined to the following two questions: > > > > http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/#risks > > http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/#criteria > > I knew there was something else I forgot to mention: Re my comments on > the typical user, the language about typical users not voluntarily > displaying security-related information is really a fancy way of saying > that typical users are not going to be clicking on lock icons and > inspecting the details of certificates, except possible when they get a > warning message that offers them an option to "view certificate" (and > even then they may not take advantage of this offer, or know what to > make of it). > > Thus arguably the only cert- and CA-related things that matter to > typical users are things that would cause a warning message to be > displayed to the user given default preference settings. If, for > example, a CA issues a cert with false information, but the false > information is for attributes whose values are not checked by Mozilla or > displayed to the typical user by default, then as far as the typical > user is concerned the truth or falseness of the information is > irrelevant, and looking at it from the point of view of a typical user > arguably there is little or no point in having CA evaluation criteria > relating to verification of that information > > Frank > > -- > Frank Hecker > [EMAIL PROTECTED]
Hi, Apologies for jumping in here. I just started coming here awhile ago because of some problems that I'd encountered awhile ago with a CA/CA certs, which Nelson helped me out with. The story I'm about to relate to you may not be totally relevant, but I thought you might find it interesting relative to this subject. I'll try to keep this relatively short :)... Several weeks ago, I started working with a customer who was try to implement "their part" of an existing PKI environment. As part of my work, I had to go through a process of downloading their CA's certs (FYI, as I related to Nelson, they have a root CA, and multiple sub-root CAs) into several machines, but when I tried to access some SSL-secured websites that had server certs issued by one of the root CAs, I was getting warning popups saying the host was not trusted. After some investigation, I determined that the reason I was getting the popups was that the trust purposes weren't being set properly in the PSM during the downloading of the CA/sub-root CA certs. I called the CA, and mentioned this to them, and they said that they "had never heard of such a problem", and that they had so many users, and no one had ever reported such a problem to them, so that they didn't believe that there was a problem. Basically, they told me to go away :)... With Nelson's help, I was able to discover that the reason for the incorrect trust purposes was primarily because of the way that the CA had the downloadable CA/sub-root CA cert package configured, and I've reported this again to the CA (I'm a bit persistent by nature :)), and they are supposedly looking into it, but the last person I spoke to basically told me that he didn't think that there was a problem. Well, as it turned out, I happened to run across an experienced user in this community, and I was going through some testing with him this past week, and when we visited one of these secured servers, we got the popup again. I then mentioned the problem that I had discovered previously, and he said something to the effect of "yes, we always get that (popup), and have always wondered about that". Ahah!! So I asked him, had he ever called the CA to tell them about this, and he kind of mumbled "no"... Anyway, that's about it... I'm mainly writing because as I read through your comments above, it just reminded me of this... Jim _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
