On Wed, 02 Feb 2005 00:17:01 +0000, Ian G wrote: > Simon Anderson wrote: > >>On Mon, 31 Jan 2005 12:41:57 -0800, David Ross wrote: >> >> >>> Until CAcert's practices are reviewed, >>>the Mozilla Foundation cannot risk its user base by installing >>>CAcert's root certificate. >>> >>> >> >>Yet the Mozilla foundation has risked the security of it's >>user base by turning a blind eye to abuses from commercial CA's >>such as Verisign. >> >> > MF is not really capable of judging whether one > CA or another is conducting abuses. That's one > known bug in the model: all CAs are equal, and > the consumer is not given a display of the CA so > as to use her own knowledge and preferences to > make a judgement (c.f., branding ideas). Regardless, > MF will never be able to work out whether a CA is > good or bad, and its current policy is to shifts that > burden of CA vetting over to WebTrust and equivalents.
I'll assume that you're not being obtuse. This is the most well known issue from Verisign; http://www.pcworld.com/news/article/0,aid,45284,00.asp This case allows anyone to make a value judgement on Verisign's services, MF included. Please don't pretend otherwise. Verisign's inclusion in mainstream browsers should have been at least reviewed (if not removed) after such an incident, yet this did not occur. Why is unearned trust of Verisign given by MF despite such incidents, while a Community Authority is assumed by MF in the first instance to be untrustworthy? MF forms a value judgement based on a comparison of market capitalisation between the two organisations, nothing more. > The fact that this puts the stress on the WebTrustprocess to meet > users' real needs is a clear and obvious shortfall. It's also a massive > barrier to entry, but hey! Somehow I doubt that any vague complaints or > grumbles are going to register, given the weight of evidence against the > model assembled so far (and the losses incurred). > > So, if you have some list of abuses, you really want to post them. You > are going to need to establish two things: > > 1. a given CA is abusing, > 2. the WebTrust system is inadequate to deal > with 1. > > You need to establish both things. Now, if you have any evidence of > Verisign abuse, have a look here: > > http://icann.org/tlds/net-rfp/net-rfp-public-comments.htm > > Where evidence of abuse might make a difference. Evidence of abuse (wrong word, "untrustworthyness" would be better) should make a difference here. The browser is at the coal face of a user's security. > (Did Verisign get their WebTrust renewed? I wrote WebTrust about the > conflict of interest but they never responded.) > >>The double standard expressed by David here epitomises the Mozilla >>Foundation's attitude throughout the eighteen months of discussion on >>this topic. >> > David has found a compromise that suits for now. It's not perfect, but > nobody can make the world perfect. Ah, the creed of the apathetic and the lethargic. >>For Mozilla, it's not about "trust" or "security." Rather, it's about >>"who pays." This stance is incompatible with community certification. >> >> >> > I've never seen any evidence that MF cares about who pays. For the most > part, I'd characterise the situation as slavish subscription to an old > security model that is now shown to be inadequate. That will change, as > the inadequacies mount (losses, etc). The honeymoon ended a year or two > back, but it's taking a while for people to get to grips that the > browser security model is being breached by spoofing / MITM attacks MF's approach is this; "Verisign paid for Webtrust, so they will be included no matter how many times their security is breached or their processes are shown to be insecure. CA-Cert in contrast, cannot be included without paying for WebTrust." I think that you will consider this an oversimplification but I contend that this is the root of the matter, based on eighteen months of watching MF prevaricate. I think that the CA-Cert people should ask themselves why they want to have their cert included in MF browsers. If they're interested in secure solutions they would do well to stay away from a browser so willing to prostitute itself to commercial entities at the expense of true security. -Simon. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
