Gervase Markham wrote:
Ian G wrote:
That's definately a strategy :-) It may be that the
MoFo people can structure it such that suing means
nothing, and another organisation pops up to take
its place.
Just to check: who do you expect us to get sued by? CAs who don't get
included? Or customers who have lost money through CAs we have included?
Ug. I hate talking about legal stuff. OK, here goes.
Sorry it's so long.
The major case that is emerging and bubbling through
attornies' minds is that of a class-action suit against
the banks and FIs. Now, the issue is that even when/if
this is launched it doesn't get close to the nub of the
problem because banks are mostly victims themselves.
(There is an analogue of this in Florida at the moment,
so we can pretty much guess that this step will take
place soon enough: "banks sued for phishing losses.")
So a second phase - or a comprehensive first phase -
is likely to bring in the software suppliers and the
CAs. How this is done for the future to solve; This
is a bit tricky because up until now, Software suppliers
have been considered a no go area. But if one reads
the news, it's fair to guess that the honeymoon might
be over. Read any 10 articles on Choicepoint to pick
up the mood of the times.
(This is the tricky bit. But bear in mind that the
strategy that goes into class action suits is quite
mindboggling.)
The software suppliers are the browser makers and the
OS manufacturers. The server suppliers don't seem to
have much to do with it.
Now, by various steps, this means that Microsoft is
included at all levels. Plus they always have to be
included because they have the money.
It also means that Verisign is a target, and possibly
AOL/Netscape and RSADSI will be dragged in too. The
reason for the latter is the fairly simple statement
that SSL was meant to stop spoofing and it doesn't,
it just stopped some spoofing. They designed it, and
M$ just followed along.
( BTW, it's pretty clear that
these companies know about the class action threat,
if one knows where to look, one can see the signs.
But of course they don't advertise this. Microsoft is
the world's biggest recipient of class actions, so I
gather, so I guess they know enough about it by now :)
That's the core. Now we get to the fringes - the other
browser manufacturers. They may or may not also be
listed as co-defendents, depending on the day. It
could also be purely tactical, one party could end
up on either side depending on the whim of the filer.
So the danger for Mozilla is that it will get dragged
in for purely coincidental reasons. Frank indicates
they have money and lawyers, so this is no big deal;
but for my part, having been through the mill once,
I'd prefer to think strategically, and posture the
organisation to be at the forefront of fighting the
problem, not in the rear ranks of ostriches. Suing
the one who does the most to stop phishing is a losing
strategy... That's not only my opinion.
One of the problems with Mozilla is its relationship
to Netscape. It "accepted" the root list without
question. So this is a pretty good reason why the
Hecker project has to be given as much support as
possible - once the entire root list is re-evaluated,
and policies in place, it distances Mozilla from the
parentage. But the longer the root list is a copy,
the more "Mozilla just went along..." This is why
Frank is so careful to document the policy, so as
to stamp it a Mozilla effort. (So say I, he might
just say that's being professional.)
It's really very complex stuff and also mindblowing.
But, none of the above is actually ... news. If I
had to make a call, I'd say there is a 90% chance
that banks will be sued in this fashion, and that
there is a 50-50 chance that the software suppliers
will also get dragged in. Beyond that, it's a dice
roll. If you know any class action attornies, ask
them, I'd be interested to hear what they have to
say.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
