Gervase Markham wrote:
At the moment, I've been asked not to say who has been invited apart from us and Comodo (the organisers). I assume I will be able to, either closer to the time or afterwards.
Why should something that will potentially effect all of us be shrouded in such secracy, who has something to hide here? Security through obscurity doesn't cut it, isn't that the exact oposite one of the premises that's supposed to make open source software better?
I'm not organising it so again, I couldn't say. Contact Steve Roylance at Comodo - [EMAIL PROTECTED]
I've cc'd him on my reply... So Steve are you guys planning to issue meeting minutes? or do you guys have stuff planned you'd rather not have public feedback on or knowledge about till well after the fact it's been implemented?
I don't think anything will be done solely with the intent of locking others out of the space. However, I'm wary of giving assurances on this matter because I suspect that things which I think are reasonable steps to increase accountability would be seen by you as lock-out attempts.
Basically I think your intents are altruistic, but when it comes to large multinational companies looking to "improve trust on the internet" one must wonder their motives, especially since Verisign (via Thawte) and Comodo are both offering control of email/domain certificates already and they're supposed to be addressing the issue when they continue to issue these certificates.
As an example (and I don't know of anyone who is actually suggesting this), what if we made all CAs who issued non-zero accountability certs post a $1,000,000 bond against losses from phishing attacks performed using their certs? Would you consider that a lockout measure?
Not all our certificates issued are "zero accountability", although the bigger our web of trust gets, and the more cross connected it becomes, as well as things like feed back on the actual process, things should get a lot more interesting in our ability to make some statements of identity.
Although the flip side of this being even if you check people's ID, there are a lot of countries that it isn't worth the paper it's written on, so in fact wrapping a strong layer around a very weak one, I just don't see what can be done, especially in central african nations... DNA? Hell I see the proceedures of most CAs at this point in time MUCH worst,
The paper I've written reflects the direction I think we should be going in, and I believe that a number of other groups present are thinking along the same lines. Do any of those measures look designed to lock others out of the space to you?
I'm not worried so much about your comments, as those of others comming to the table, which is why I'd like to know who those others will be, already you've listed Comodo and Verisign, and time and time again in the past Verisign has exhibited anti-competitive behaviour and maximising how much money it can milk from people for as little effort as it can think it can get away with, and I'm not talking about their ventures in the CA space, al la site finder.
Basically little birdies have told me that Verisign is walking a fine line on this issue, if they push too much (which is why I'm guessing Comodo is the front runner) they run the risk of breaching both anti-trust and rico laws, so yes, I really would like to know what others are planning to bring to the table.
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"I do not try to dance better than anyone else.
I only try to dance better than myself."
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
