Ram0502 wrote:
I've done with my CA cert page?
http://www.hecker.org/mozilla/ca-certificate-list
I believe there is value to the community in having an easy to compare
page; your page is a solid start but I would add all the included CAs
as well and I think breaking out some fields (use of secure hardware,
some policy details) would be of tremendous benefit.
Taking a leaf from my experiences over on
the digital currency world, where the users
are fundamentally responsible for ensuring
that the issuers protect their metal (there's
about $80m protected in that world, from
memory), I would suggest that fundamentally
it is a grand idea to present opinions on CAs.
Do it - in any way you feel fit ! Create a page
like Frank's and present the info you think
important.
1 if MF breaks out the practices and policies of the various CAs
(included or otherwise) into some 'obvious' security attributes
AND
I'd be surprised if MF has the budget or the
staff to offer any opinion that could sway the
CA market. As MF is already responsible for
constructing the root list, for them to offer
any opinion as to the incumbents in that list
is to open a can of worms.
2 if there are obvious groupings of security levels
then one could make an argument for using the naturally occuring
thresholds to define best practices for various applications and
thereby continue to abstain from making potentially risky decisions in
favor of again leveraging market driven best practices.
For example perhaps enough CAs offer OCSP/CRL pointers in certificates
that MF can take advantage of that to require this feature for roots
to be trusted to issue software publishing credentials.
This has the excellent feature of strongly encouraging competition
between the root providers for example to include automatic revocation
checking, or anti-spyware policies or whatever practical considerations
emerge as supported by the open market.
That would all be grand stuff on an open
market table by some interested and responsible
participant. Unfortunately, MF is a role player,
and may be conflicted if it takes on any bias beyond
the highly technical role of constructing the root
list.
Well, yes, but only if we and other browser/email vendors actually do
something with the issuerLogo :-)
I suspect we could get the for profit CAs to implement this in the MF
source base as they would clearly benefit from the branding. As I
understand it the real question is if the security value (which is
obvious to me) is conveyable apparent to whomever controls the UI real
estate.
Yes, this appears to be the big issue. See the
recent announcement by Microsoft, that might
help to explain the case to the UI people.
I think there are many workable approaches to this. For example
allowing the user to make a (perahps deeply hidden at first)
configuration selection about it. Generally this concept would be well
leveraged by asking the user one or two questions to tailor their setup
(rate your clue and your daring/parnoia on a 5 point scale) and adjust
their security policy (XPIs must be signed with revocation, must be
signed by anyone, don't care) and UI (show me brand, hide this stuff)
based on their selection. I think this is a much better approach to
balancing usability and security needs.
Those are some interesting ideas to white board
with the UI people.
BTW Thanks Frank for your ongoing hard work here - managing the root
list and policies for MF is not a glorious job but it is an essential
one.
Hear, hear!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
