Nelson B wrote:
I wish there were some way, but I don't know of any standard way to represent the amount/strength of authenticity checking done by CAs prior to issuance. There would have to be a new extension, or alternatively it could be new info stored along with the cert in NSS's cert store.
That's what I was hinting at... How hard would it be to do this without breaking backward compatibility, yet in future the UI knowing about this extension would be able to give the user more information?
I think the X.509 folks never dreamed that there would exist low-assurance CAs. They assumed all CAs would be high assurance.
That's just naive... What other types of security, physical or other wise uses a 1 size fits all policy?
AFAIK, there's no uniform standard for classes. It might help a lot if there were. WebTrust doesn't require classes. They test only that a CA does what their CPS says, whatever that is.
Maybe this is something that needs to be part of what one of the other guys were suggesting as part of their to CAs that wish to be included, or remain in the browsers...
I think my predecessors (original designers of NSS) thought that all SSL and code-signing CAs would be high assurance, and therefore thought that the 3 trust bits (email, SSL, code signing) were enough to distinguish (root CA) certs as to level of assurance.
Can we honestly say that is still the case, if not can it be addressed some how in a sane manner to give the user more information on what they're about to do, I guess this is similar to the debate over monetary values etc...
This situation reminds me of the situation with road works in Sydney, they tend to plan for the current needs instead of what will be needed in 5 or 10 years time, so it's a constant game of catch up rather then better planning to make everyone's lives a little easier.
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto