Simon Anderson wrote:
On Mon, 31 Jan 2005 12:41:57 -0800, David Ross wrote:
Until CAcert's practices are reviewed,
the Mozilla Foundation cannot risk its user base by installing
CAcert's root certificate.
Yet the Mozilla foundation has risked the security of it's
user base by turning a blind eye to abuses from commercial CA's
such as Verisign.
MF is not really capable of judging whether one
CA or another is conducting abuses. That's one
known bug in the model: all CAs are equal, and
the consumer is not given a display of the CA so
as to use her own knowledge and preferences to
make a judgement (c.f., branding ideas). Regardless,
MF will never be able to work out whether a CA is
good or bad, and its current policy is to shifts that
burden of CA vetting over to WebTrust and equivalents.
The fact that this puts the stress on the WebTrust
process to meet users' real needs is a clear and
obvious shortfall. It's also a massive barrier to
entry, but hey! Somehow I doubt that any vague
complaints or grumbles are going to register,
given the weight of evidence against the model
assembled so far (and the losses incurred).
So, if you have some list of abuses, you really
want to post them. You are going to need to
establish two things:
1. a given CA is abusing,
2. the WebTrust system is inadequate to deal
with 1.
You need to establish both things. Now, if you
have any evidence of Verisign abuse, have a
look here:
http://icann.org/tlds/net-rfp/net-rfp-public-comments.htm
Where evidence of abuse might make a difference.
(Did Verisign get their WebTrust renewed?
I wrote WebTrust about the conflict of interest
but they never responded.)
The double standard expressed by David here epitomises the Mozilla
Foundation's attitude throughout the eighteen months of discussion on this
topic.
David has found a compromise that suits for now.
It's not perfect, but nobody can make the world
perfect.
For Mozilla, it's not about "trust" or "security." Rather, it's about "who
pays." This stance is incompatible with community certification.
I've never seen any evidence that MF cares about
who pays. For the most part, I'd characterise the
situation as slavish subscription to an old security
model that is now shown to be inadequate. That
will change, as the inadequacies mount (losses,
etc). The honeymoon ended a year or two back,
but it's taking a while for people to get to grips
that the browser security model is being breached
by spoofing / MITM attacks.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
