Yet the Mozilla foundation has risked the security of it's
user base by turning a blind eye to abuses from commercial CA's
such as Verisign.
This reminds me of Rich Freeman's comment in bug 215243 about incumbent CAs being held to lower standards than new entrants. For the record, I think it would be useful to go through the initial CA list (i.e., the one inherited from Netscape prior to the Mozilla Foundation getting involved in this) and re-approve (or disapprove) those CAs. I haven't done so for two reasons:
First, I have limited time, and what time I do have has been spent handling new requests and working on the new policy. Second (and more important) based on the evidence at hand I don't believe that there are any real security problems related to existing CA certs in Mozilla. With regard to VeriSign in particular, I agree with Ian Grigg's comments. If others believe to the contrary that there is a "clear and present danger" associated with including VeriSign CA certs in Mozilla, then they're welcome to present evidence of this to the Mozilla security group, per the process outlined in
http://www.mozilla.org/projects/security/security-bugs-policy.html
(And for the record, I think the evidence has to go beyond four-year old reports about single incidents. Is there an pattern of such incidents? Are there known current cases of "rogue" certs -- i.e., not expired? Any evidence of exploits related to such certs? And so on...)
For Mozilla, it's not about "trust" or "security." Rather, it's about "who pays." This stance is incompatible with community certification.
IMO it's more about "lack of time" and "laziness", in two senses: First, I personally am to blame for not working on this more than I have (though this is partly for reasons beyond my control, like family commitments). But even beyond my personal failings, it's not trivial to investigate CAs (assuming of course that they need to be investigated, which we'll take as a given for the purposes of this argument). That's why it's tempting to simply offload that task to WebTrust and third parties like the firms authorized to do WebTrust audits, and why that was done in the past. Going forward the intent is to move away from that.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
