Duane wrote:
SSL server certificates don't only just relate to money, I use them for
IMAP and SMTP and again this goes back to my comments about making
things no longer black and white security, I don't see how you can lump
everyone in 1 box and say ok this is the 1 size fits all category, Ian
gave a very good reason to split things up. How can you possibly fit
everyone into the US centric documentation required model if there is no
documentation or it's of dubious origins?
Well there's an issue there. What proportion of
nominal server certs go to IMAP/SMTP usage?
TLS is a protocol of quite general proportions, it
can be used wherever you have a need for connection-
oriented security. (It's one undebatable success signal
that we know: the number of 'design wins' for use in
different applications.)
Is there are category for each of these applications?
I believe the answer to be no. Is there a need for
there to be a category for each of these applications?
I suspect the answer to be yes; given some qualification:
that third party signed certs are indicated for the application.
So how many categories are there? Let's call it 'lots'
which allows us to assume quite quickly that MF can't
deal with them all. Fine.
So we have to narrow it down. How many does MF have
to deal with?
MF only distributes root lists for 3 purposes: email,
browsing, plugins. So those are the only categories
that MF is currently interested in.
Which means that *if* MF decided to vet on the basis
of documents, it would only have 3 sets of documents
to understand, and only that many sets for each CA.
As there are ... what, 40 different CAs? And this is
growing, let's call it 100. MF would need to vet and
approve 300 odd documents for the root list.
Currently MF is declining to do that. One clear
reason is resources; there aren't the people around
to do that.
I suppose the question is to establish just how and
by whom these documents are vetted.
(By all means, change the numbers!)
To protect my (IMAP/SMTP) passwords why should a certificate have as
much checking as for a site doing $1,000,000 transactions? Why should
informational items on certificates be simply considered just that, why
shouldn't there be some minimum requirements to remove the confusion and
not to mention the potentially misleading situation that gets hidden
away in the fine print.
I'm curious about this - why is an ISP that provides
IMAP/SMTP requiring a CA signed cert? What's the
point of that? The already have a relationship with
the client that is far stronger than can be established
multilaterally with the CA.
.... I think the CPS documents do contain enough information
to categorise things MUCH BETTER ....
I don't think anyone denies that the documents
contain information potentially of great value. That
isn't the issue. The issue is how a judgement is made.
If you want case studies on webmail, smtp, imap and other browser
related functions that have nothing to do with monetary relations and
how companies use their certificates I will post something to the CAcert
mailing list and get people to express their current situations on the
matter, because I know for a fact I'm not the only one in this boat, and
the mailing list archives show this fact time and time again.
Hell the amount of non-browser use is fairly high among IRC users as
well... How can all these things simply be lumped together in a single
use policy like you are describing?
Can you ask these people for me why they are using
CA signed certificates? If they are abusing the PKI,
then they have the problem, not MF. I think the onus
should be on them to show that they have a real need
to get the open source community, the CA community
and everyone else to start providing infrastructure
to them ...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
