Re: Using email to validate SSL cert requests (was Re: CAcert Root Certificate)

Mon, 14 Feb 2005 17:17:02 -0800 

Nelson B wrote:

I wish there were some way, but I don't know of any standard way to
represent the amount/strength of authenticity checking done by CAs
prior to issuance.  There would have to be a new extension, or
alternatively it could be new info stored along with the cert in NSS's
cert store.

That's what I was hinting at... How hard would it be to do this without breaking backward compatibility, yet in future the UI knowing about this extension would be able to give the user more information?

I think the X.509 folks never dreamed that there would exist
low-assurance CAs.  They assumed all CAs would be high assurance.

That's just naive... What other types of security, physical or other wise uses a 1 size fits all policy?

AFAIK, there's no uniform standard for classes.  It might help a lot
if there were.  WebTrust doesn't require classes.  They test only that
a CA does what their CPS says, whatever that is.

Maybe this is something that needs to be part of what one of the other guys were suggesting as part of their to CAs that wish to be included, or remain in the browsers...

I think my predecessors (original designers of NSS) thought that
all SSL and code-signing CAs would be high assurance, and therefore
thought that the 3 trust bits (email, SSL, code signing) were enough
to distinguish (root CA) certs as to level of assurance.

Can we honestly say that is still the case, if not can it be addressed some how in a sane manner to give the user more information on what they're about to do, I guess this is similar to the debate over monetary values etc...

This situation reminds me of the situation with road works in Sydney, they tend to plan for the current needs instead of what will be needed in 5 or 10 years time, so it's a constant game of catch up rather then better planning to make everyone's lives a little easier.

--

Best regards,
 Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://happysnapper.com.au - Sell your photos over the net!
http://e164.org - Using Enum.164 to interconnect asterisk servers

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to