On Wed, 02 Feb 2005 00:35:12 -0500, Frank Hecker wrote: > Simon Anderson wrote: >> Yet the Mozilla foundation has risked the security of it's >> user base by turning a blind eye to abuses from commercial CA's >> such as Verisign. > > This reminds me of Rich Freeman's comment in bug 215243 about incumbent > CAs being held to lower standards than new entrants. For the record, I > think it would be useful to go through the initial CA list (i.e., the > one inherited from Netscape prior to the Mozilla Foundation getting > involved in this) and re-approve (or disapprove) those CAs. I haven't > done so for two reasons: > > First, I have limited time, and what time I do have has been spent > handling new requests and working on the new policy. Second (and more > important) based on the evidence at hand I don't believe that there are > any real security problems related to existing CA certs in Mozilla. With > regard to VeriSign in particular, I agree with Ian Grigg's comments. If > others believe to the contrary that there is a "clear and present > danger" associated with including VeriSign CA certs in Mozilla, then > they're welcome to present evidence of this to the Mozilla security > group, per the process outlined in > > http://www.mozilla.org/projects/security/security-bugs-policy.html
Removing Verisign is not in CA-Cert's interest. MF treating CA-Cert and Verisign equitably is. >> For Mozilla, it's not about "trust" or "security." Rather, it's about >> "who pays." This stance is incompatible with community certification. > > IMO it's more about "lack of time" and "laziness", in two senses: First, > I personally am to blame for not working on this more than I have > (though this is partly for reasons beyond my control, like family > commitments). But even beyond my personal failings, it's not trivial to > investigate CAs (assuming of course that they need to be investigated, > which we'll take as a given for the purposes of this argument). That's > why it's tempting to simply offload that task to WebTrust and third > parties like the firms authorized to do WebTrust audits, and why that > was done in the past. Going forward the intent is to move away from that. That all sounds lovely. After 18 months, "laziness" and "lack of time" are euphemisms for "complete disinterest." What you seem to be saying here is "wait a little longer, things will change." I think that this is unhelpful as it encourages CA-Cert to continue dealing with MF when, if we're honest about it, CA-Cert would benefit from focusing their efforts elsewhere. It will be ironic if it transpires that a commercial browser grants CA-Cert (or another community CA) with inclusion. -Simon. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
