Frank Hecker wrote:
Note that I have already corresponded with Hugo regarding our policies
regarding including new root CA certificates in Firefox and Thunderbird.
(I suggested submitting a formal request for these CA certificates to be
included; however the Chilean CAs are apparently like many CAs in other
countries: They are authorized to operate under Chilean digital
signature legislation, but have not undergone any other third-party
audits like WebTrust.) I also pointed out that including CA certificates
specifically for the Chilean localized version would require approval
under the Mozilla trademark policies.
Excellent news. You are going to be busy. As there are 200
or more counntries out there, you have a job for life, Frank ;-)
So don't worry about the legal and policy issues, I am already aware of
the situation there. I think a more relevant question is: Does it
actually make sense to build an extension to install root CA
certificates? It seems to me that from the user's point of view the
process of downloading and installing an extension is no more or less
complicated than the process of downloading a root CA certificate and
marking it for acceptable uses. I don't really see why an extension is
preferable, unless it would be installing multiple root CA certs and
thus avoiding the need for the user to do multiple cert downloads.
But the plugin could do more than one thing: Imagine that
you took either trustbar.mozdev.org or petname.mozdev.org
and prepackaged the national CA cert with it. Then, you
could customise it and spread it, and get both a phishing
solution as well as the CA root.
In fact, it occurs (why didn't we think of this before!) that
CACert should do this: get together with those teams and
suggest they package the roots in there. As they are both
open source products, there is nothing stopping CACert from
doing this.
(Duane!)
This is a short term solution; but the future of browsing is
in those plugins. If there is increased interest in CA root
certs, then it is *only* because of the rise of phishing and
the worry that this causes in countries outside the USA, so
it makes sense to develop ones solution to phishing in a way
that makes a difference.
(Hugo, you understand that adding the national CA root cert
won't protect your users against phishing, right? In fact,
as outlined in the GeoTrust document in great length, it may
make matters worse, without proper on-chrome protection like
that of trustbar, petname or the Geotrust plugin.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
