Ram0502 wrote: > I'd like to see an indication of what information the > CA is prepared to defend and to what extend they are > making that assurance on identity (e.g. we assure you > this is IBM, NY, US and provide warranty as follows) > as well as some indication for signed software as to > any policy they may have arround appropriate use such > as requireing up front disclosure about what the > software does.
Of the CAs whose CP and CPS I've read, they all severely limit their liability and provide little-to-no warranty at all. There may be some CAs out there that do strongly warrant their identity proofing (note the use of the word strongly), but they have no incentive to do so. Digital Signature Trust Co. used to warrant it's SSL server certificates and also warranted its TrustID client certificates for a significant amount of money, but from what I've heard they no longer do so. My guess as to why would be because they couldn't sell enough certificates (at whatever price the market would bear) to pay for the insurance premiums that are necessitated by such a warranty. It seems like people won't pay for warrantees unless the pain of not having one becomes worth the cost a warranty incurs on the system. I have yet to see *any* CA require disclosure by a customer applying for a code signing cert about what the software does. If there was such a CA then it wouldn't make sense for the CA to issue them a cert that could be used over and over again to sign thousands of applications. It would make more sense for the CA to simply sign the *one* application they required disclosure for and never give a customer a private key/cert capable of signing code that wasn't part of the CA's code review process. -alex _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto