Frank Hecker wrote:
Simon Anderson wrote:
Yet the Mozilla foundation has risked the security of it's
user base by turning a blind eye to abuses from commercial CA's
such as Verisign.
This reminds me of Rich Freeman's comment in bug 215243 about
incumbent CAs being held to lower standards than new entrants. For the
record, I think it would be useful to go through the initial CA list
(i.e., the one inherited from Netscape prior to the Mozilla Foundation
getting involved in this) and re-approve (or disapprove) those CAs. I
haven't done so for two reasons:
First, I have limited time, and what time I do have has been spent
handling new requests and working on the new policy.
I agree with all that. For the sake of the credibility
of the policy, this has to remain an agenda item, if
only to warn CAs not to be complacent :) Whether
you *ever* have time is an open question, which is
just another reason why I think inevitably there will
be a drift towards an asymmetric CA policy (where
not all CAs are equal). It's the only way to manage
the divergent requirements, economically speaking.
IMO it's more about "lack of time" and "laziness", in two senses:
First, I personally am to blame for not working on this more than I
have (though this is partly for reasons beyond my control, like family
commitments). But even beyond my personal failings, it's not trivial
to investigate CAs (assuming of course that they need to be
investigated, which we'll take as a given for the purposes of this
argument). That's why it's tempting to simply offload that task to
WebTrust and third parties like the firms authorized to do WebTrust
audits, and why that was done in the past. Going forward the intent is
to move away from that.
The concept of using a reputable firm to 'check
the books' of a company derives from the old
days where to actually get to the books required
amounts of travelling and quite specialised
knowledge in accounting and so forth.
These days we have the net. We also have a
whole host of idle experts out there. In the
Digital currency world we promote what we
call open governance where the users are
responsible for auditing the institutions. It
is an evolving concept, not without controversy,
but it does do one thing extraordinarily well:
it allows trust to be aggregated and disseminated
without large amounts of money being spent, and
without relying on excessive secrecy.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
