why should [Microsoft's] root CA cert not be included?
One reason would be that I/we don't trust them, and CAs are all about trust.
First, you're automatically (and perhaps mistakenly) extrapolating from "I" to "we" (depending on who "we" refers to). Second, the "trust" placed in a CA is specifically limited to practices involving cert issuance, revocation, etc., and IMO this has little to do with whether you approve or disapprove of a CA's general business practices, especially practices in business areas separate from the CA itself.
Let's say your enemy (the one you want to protect yourself from) is not any competing company, but the government.<omitting example of possible threat from government>
So, in the current model, you are vulnerable to governments (actually anybody) which control root CAs.
and how specifically would you propose to mitigate it? (Also, what additional criteria would you propose to add to the policy relating to this issue?)
You asked about threat models, and that's mine ;-).
There's probably not much we can do in the policy (the typical SSL model is probably (intentionally) inadequate to protect against that). Maybe it will make a difference in practice during CA evaluation in one case or the other, maybe we can't do anything in practice (in the policy). But I personally think we should acknowledge that risk, be concerned about that, and state so.
I agree that threats from governments should be for the most part "out of scope" as far as the policy is concerned. However I'll consider adding an item to the meta-policy briefly discussing this issue.
You think that "vet" is a typo? No, it's the word I meant
Nod. I just didn't know that word, and my dict said 'a doctor for animals; treating or examining an animal'. Another dict I just used says 'check thoroughly', I guess that's what you meant. I just had a hard time to make make sense of the sentence, but because it's my lacking English knowledge, ignore my comment.
No, I'll change the word. IMO the policy should be written so that people don't have to look up words in the dictionary. (And I think your "English knowledge" is pretty darn good.)
Yes, you're correct that the criteria are sketchy. This is because they are still being written.
Ah, I thought it is supposed to be almost done.
I wish :-)
But I don't think we should allow people to just add a CA to a server that (to give an extreme example) already carries a large HTTP server with lots of scripts, FTP server, CVS server, DNS, mail, mailing lists, shell accounts etc.. Running a CA requires dedication and a lot of time, it's IMHO nothing you can just add to your larger list of services.
Agreed. In practice I don't see us approving anybody who is not running a true CA operation (as opposed to the folks Nelson Bolyard complains about, who install OpenSSL, issue a few certs, and decide they're a CA). The least "formal" application we've received is that from the CAcert.org folks; regardless of what one thinks of their operation as compared to commercial CAs, clearly they're trying to run a dedicated CA service as opposed to just a CA service "stuck on the side" of some other service.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
