On 4/15/05, Gervase Markham <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > 1. As Frank previously suggested, make SSL sites certified by an > > unknown CA have the same UI features as an http:// site. > > 2. As I've suggested, make the petname tool a default part of the browser > > UI. > > In what way do either of these suggestions relate to the subject of this > thread - Hugo's wish that the root cert of a > Chilean-government-certified CA be included in Mozilla?
For many use cases, my suggestion eliminates the need to bundle CA certificates in the browser. By adopting this approach, I suspect we can meet Hugo's needs as well as the needs of others wishing to add a CA cert to the browser. Currently, the purpose in bundling a CA certificate in the browser is: A. Eliminate the pop-up dialog that appears when a new CA is encountered. B. Distribute the public key of the new CA. Step 1 solves A. Step 2 provides an alternate way of storing the cryptographic identity of a site. When using the petname tool, a bookmark stores the public key hash of the CA. Hugo could distribute a browser with cryptographically strong links to particular sites, simply by providing additional bookmarks. Users could create additional cryptographically strong links to sites certified by the Chilean CA, simply by assiging petnames using the petname tool. I suspect the bottom line for Hugo is that he would like the Chilean people to be able to browse Chilean SSL sites without requiring a vulnerability to a non-Chilean entity. I think my suggested modifications to Firefox meet this need. Tyler _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
