Dear madame Roaster, (assuming that only a nanny goat would want to roast a billy goat...)
On Monday 09 May 2005 20:30, [EMAIL PROTECTED] wrote: > Hi, Frank, et. al. > > COMODO has been offering FREE fully signed certs: > http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.htm >l?currency=USD®ion=North%20America&country=US (since 2002: > http://www.instantssl.com/ssl-certificate-news/ssl-171202.html ). This > is worse than Bug 290491. I don't understand. Those pages refer to either certs that are bundled with other non-free services, or short life time certs that are set up for testing purposes. Either way what is the problem with free certs? Why are the "better" because they are expensive? Surely we need objective criteria relating to the ability to check the domain and any other issues, rather than the rather subjective price sticker that might or might not be subject to marketing rather than technical issues? Or are you saying you work for an expensive CA, and you're goats are feeling the heat? > I urge mozilla.org to adopt and enforce the latest revision of Frank's > proposed policy. CAs are in a race to the bottom, and we mustn't help. CAs are in a race to deliver a service, before they all go bust on low sales. Somebody scratched a business plan out on a napkin back in the early 70s, and that napkin was touted around until the mid 90s when the dotcom boom sucked it up like all the other vapourware. If CAs can't make a market in what they do, then it is very hard to justify Mozilla's continued support for the PKI at all. Perhaps it is better to scrap all the code and start again rather than try and save the cert sales market? Trying to restrict cert sales to high priced CAs only serves to slowly stifle the market for security. Have a look at the securityspace.com stats and try and work out how to share about 100k worth of certs per year across dozens or hundreds of CAs, and pay for all the audits and systems, and make a profit! > Also, this URL shows links to some excellent demos of issues mozilla > apps may not be prepared for: > http://www.vengine.com/site-authentication/index.html > (assume hackers use your user-agent string to make the images match > your browser). > (It seems like they're providing a solution (vengine) to a problem and > (in their particiapation in the race to the bottom, admittedly) helping > break it.) These attacks seem to work regardless of the use of SSL and/or certs from any CA. What is your point - if it relates to Comodo? iang -- http://iang.org/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
