> This was part of my reasoning on why not to lock people to CAs, the CA > can then act in an anti-competitive manner...
But this strays so far away from the discussion here, which is to select a methodology for selecting CAs for inclusion in Mozilla. Frankly, if a CA acts up -- you pull them out. Beginning with Windows XP, Microsoft has this capability (auth.cab) and I would suggest Mozilla consider a similar feature. It is important to have an independent standard against which to judge CA behavior (and WebTrust seems to be the most likely candidate). To stretch your argument to say that "lock-in" could encourage CAs to charge for revocation is inflammatory. Most CAs are on the hook under a warranty or other forms of liability if they continue to validate a certificate that is no longer valid -- they need to encourage certificate owners to revoke when appropriate. With the increased competition in the CA business -- price battles have undermined most "lock-ins". If anything, the CAs are throwing in freebies (such as vuln scans) to increase the "value" of the certificate purchase. The only "lock-in" that I see possible is when enterprises have integrated their applications with the CA -- such as for the issuance of S/MIME certificates to a large community. But most relationships of this kind are not "retail" -- they are the outcome of a long development of trust/relationship and are normally covered by multiyear contracts/SLAs. Also, much of the dialogue regarding dissidents is ... well ... just irrelevant in the commercial CA business!! Most commercial CAs have commercial enterprises as their clients -- that's just the way the money grubbing world is. Our clients are not normally afraid of the NSA ... they are trying to fulfill regulatory obligations to protect user privacy or to enable business efficiency. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
