In Mozilla bug #215243, a lengthy debate has begun (via bug
comments) whether CAcert's root certificate belongs in the Mozilla
certificate database.
I spent a little time reading CAcert's website, and it seems to me that their policies mean they would not be a good inclusion in Mozilla.
At the moment, the fact that someone has to make at least some effort to prove that they are who they say they are, and provide verifiable contact details, is the only mechanism (however weak it may be) that we have for tracking sites to people. If a phishing site is forced to buy an SSL cert to make themselves more genuine, there is at least some sort of audit trail back to the phisher.
CAcert's policy of giving certs to anyone with a working email address undermines this. This reduces the amount of verification a cert gives to "if I see www.amazon.com in the URL bar, I'm on www.amazon.com". And, with the new punycode-based identical-glyph character attacks, that's currently no guarantee at all.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
