Frank Hecker wrote: > But I'm willing to consider going further: Since people have expressed > concern about the rigor involved in vetting applicants for SSL server > and code signing certs, we could use the LCP as a floor for email certs, > and the NCP as a floor for SSL and code signing certs. This likely > corresponds to typical CA practice today: the LCP permits the equivalent > of class 1 email certs not requiring much user authentication, while the > NCP requires presentation of appropriate identity documents (in person > or otherwise).
I'll say again, to attack a website is a lot harder then attacking an email address, you only need a certificate to sign an email, you don't need to alter/spoof dns etc after the fact where as to continue attacking a website you have to continue effecting the DNS system, not to mention emails are less immediately obvious if they went through, where they went etc etc etc. SSL server certificates don't only just relate to money, I use them for IMAP and SMTP and again this goes back to my comments about making things no longer black and white security, I don't see how you can lump everyone in 1 box and say ok this is the 1 size fits all category, Ian gave a very good reason to split things up. How can you possibly fit everyone into the US centric documentation required model if there is no documentation or it's of dubious origins? I think CA policies WILL HAVE to be normalised to fit into different categories, and while everyone seems to be against MF doing this directly someone has to do it or you will constantly be trying to fit everyone into this one size fits all policy that just won't fit the majority of situations that currently exists. To protect my (IMAP/SMTP) passwords why should a certificate have as much checking as for a site doing $1,000,000 transactions? Why should informational items on certificates be simply considered just that, why shouldn't there be some minimum requirements to remove the confusion and not to mention the potentially misleading situation that gets hidden away in the fine print. While others are ducking for cover saying why this won't work, I think they're wrong, I think the CPS documents do contain enough information to categorise things MUCH BETTER and I think mozilla foundation should seriously be considering everything their users are doing rather then simply sweeping it under the rug and only considering online banking and other commerce. If you want case studies on webmail, smtp, imap and other browser related functions that have nothing to do with monetary relations and how companies use their certificates I will post something to the CAcert mailing list and get people to express their current situations on the matter, because I know for a fact I'm not the only one in this boat, and the mailing list archives show this fact time and time again. Hell the amount of non-browser use is fairly high among IRC users as well... How can all these things simply be lumped together in a single use policy like you are describing? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
