Duane wrote:
Ian G wrote:
Right, but considering that this is *email*
and CAs are simply some optional extra to do
with commercial users (and we saw what they
want) then when it comes to *email* there is
no need to bash anyone's head over any issue.
I see 2 primary benefits of including a CA in the chain, firstly email
is spoofable, and unless you plan to use a white list to annoy the crap
out of everyone before you'll accept mail then the CA in most cases
includes a minimum level before issuing, at least I don't know of any
testing certs issued without a mail probe.
2nd benefit is in the revokation, how many PGP keys are floating round
in cyber space that can't be revoked?
Right. I think CAs can add some value to
the certificates in email, and if any of
these ideas see the light of day, I'd suggest
that the implementors think about how they
migrate users from "self-signed" basic level
to something a bit better. Migration from
nothing to adequate to strong is a much easier
task than leaping from nothing to everything.
(So, dumb user question, but was I right in
my guess that CACert certs aren't working in
Tbird at the moment? Or do I need to keep
looking for some other problem? Basically,
TBird won't let me email with signing as the
cert is invalid, so it says.)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
