Ian G wrote:
Frank Hecker wrote:
Note that I have already corresponded with Hugo regarding our policies
regarding including new root CA certificates in Firefox and
Thunderbird. (I suggested submitting a formal request for these CA
certificates to be included; however the Chilean CAs are apparently
like many CAs in other countries: They are authorized to operate under
Chilean digital signature legislation, but have not undergone any
other third-party audits like WebTrust.) I also pointed out that
including CA certificates specifically for the Chilean localized
version would require approval under the Mozilla trademark policies.
Excellent news. You are going to be busy. As there are 200
or more counntries out there, you have a job for life, Frank ;-)
Yes. I told Frank that we can't afford or promote a postulation
of the chilean CA's to the Webtrust or the Mozilla policy. We don't
have any connections with them !
So don't worry about the legal and policy issues, I am already aware
of the situation there. I think a more relevant question is: Does it
actually make sense to build an extension to install root CA
certificates? It seems to me that from the user's point of view the
process of downloading and installing an extension is no more or less
complicated than the process of downloading a root CA certificate and
marking it for acceptable uses. I don't really see why an extension is
preferable, unless it would be installing multiple root CA certs and
thus avoiding the need for the user to do multiple cert downloads.
But the plugin could do more than one thing: Imagine that
you took either trustbar.mozdev.org or petname.mozdev.org
and prepackaged the national CA cert with it. Then, you
could customise it and spread it, and get both a phishing
solution as well as the CA root.
We have currently 3 CA's approved by our government to operate,
and the digital signed documents using their certificates has
legal validity.
Of course the people could download every root CA cert by their own,
but our final concern is PROMOTE FIREFOX, so... with a package that
includes the 3 certs, and perhaps customized bookmarks, and localization
of language... it's far better than using Explorer, don't you think? ;)
In fact, it occurs (why didn't we think of this before!) that
CACert should do this: get together with those teams and
suggest they package the roots in there. As they are both
open source products, there is nothing stopping CACert from
doing this.
(Duane!)
This is a short term solution; but the future of browsing is
in those plugins. If there is increased interest in CA root
certs, then it is *only* because of the rise of phishing and
the worry that this causes in countries outside the USA, so
it makes sense to develop ones solution to phishing in a way
that makes a difference.
(Hugo, you understand that adding the national CA root cert
won't protect your users against phishing, right? In fact,
as outlined in the GeoTrust document in great length, it may
make matters worse, without proper on-chrome protection like
that of trustbar, petname or the Geotrust plugin.)
Yes, i understand.
As i pointed above, our primary concern isn't about security,
but promotion. This kind of plugin could make a big difference.
Hugo
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
