Ian G wrote: [...]
OK, that's good to know that there is no number involved. That just leaves us with determining what information *is* in this cert, and how it is that it needs to be presented to the user, and what the legal and contractual ramifications of all this information is.
We should refer directly to the documentation about that :
http://portal.etsi.org/docbox/EC_Files/EC_Files/ts_101862v010201p.pdf
(also http://www.ietf.org/rfc/rfc3039.txt for more generic qualified certificate information)
The fact that it might be easy to parse doesn't make it easy to present. How do you envisage presenting this information? [...] What are the contractual ramifications for the parties? What happens if it goes wrong?
(And, I don't think the answer to the above is
"nothing" as if it was, there would be no need
for a law and no need for a critical bit.)
In the case of the hungarian CA, I'm not sure "nothing" is such a bad answer. To be more precise, the qualified CA cert is just one step toward producing a qualified signature, which would be present only if all components were qualified. So as long as Mozilla is not qualified, it's not a qualified signature, and the use of a qualified CA changes very little.
What would seem to me adequate to present this information would be a text saying "this certificates claims to be a qualified certicate" in the certificat details. Nothing more.
(OK, my wording is wrong, as the certificate is not a living being and can't claim anything)
Actually, for the monetary limit, I'd just add another text at the same place : "this certificate can be used as a qualified certificate for transactions restricted to a maximum value of _Amount_ _CurrencyCode_".
[...]You're not giving an acurate representation of things.
Let me repeat what I said: "It certainly opens a can of worms." That statement is as I see it, and I'd dearly love to be corrected on that.
My "not acurate" was refering the following kind of statements you did :
">> What happens if IangInsidiousIssues sells >> certs with the crit in it saying $100,000 but >> inside the crit text, there is a caveat saying >> that the limit only applies if spent in my >> shop buying my goods?"
"what is inside the extension packets is open, *by definition*, and they may or may not be marked with a critical bit."
About the can of worms, the one opened by those extensions does not really makes the situation worse for X509 certificates.
We've had the "Non Repudiation" usage bit for a long time, and nobody agrees on what it means exactly to assert it.
If you concerns were fully justified, the current Mozilla could already be considered liable by not showing in a very visible way that this flag is asserted.
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
