Gervase Markham wrote:
Fundamentally, when we had no market share, we had no leverage. When we have some, we'll have some. So how about this for an idea to kick around:
- CA Foo issues a bunch of duff certs to phishers - People lose money
Very little of this has happened historically because the existing CAs now in mozilla's list have been very very good at not issuing "duff" certs. As evidence of this truth, I offer the HUGE amount of press (not to mention postings in this group) that a *single* duff cert incident got a few years ago. The press held that CA up to high standards precisely because that CA already had a reputation for doing a good job of avoiding "duff" certs.
However, mozilla is now considering changing its standards for admission to mozilla's trusted CA list. I think there is substantial risk of increased "duff" certs (especially SSL certs) from this plan.
- The MF decides, pragmatically, that CA Foo has sold too many certs to yank their root cert, due to user inconvenience.
This says to me that MF needs to hold a high standard before admitting certs to the list, because it's too difficult to take them out later.
- The MF instead declares that CA Foo's root cert will be yanked in 6 months, unless they clean up their act, and that sites should not rely on CA Foo's certs working in 15% of browsers 12 months from now.
MF might declare that, but I doubt it would ever enact the threat. Doing so would only hurt mozilla.
When something that previously worked stops working in a browser, end-users' perceptions are always "that darn buggy browser is junk", never "that web site's admin hasn't got a clue about security".
Too many users live in caves. They wouldn't learn about the CA cert removal until their web pages stopped working. Then they'd gripe en-masse about mozilla. Not about the duff CA, but about mozilla.
BTW, where do you think mozilla would tell the world about such a plan to remove a CA cert? If the IDN issue couldn't make it onto www.mozilla.org's front page, what chance has CA news of getting onto ANY mozilla.org web page?
- The resultant storm of publicity and uncertainty and doubt causes CA Foo registrations to drop, and CA Foo to clean up their act, and beg us to issue a joint press release to that effect.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
