Eddy Nigg (StartCom Ltd.) wrote:
Currently the ratio of EV certs is below 1% of overall SSL secured web
sites. If EV doesn't get a significant market share, your priorities
might have been wrong and we should have addressed other issues as well.
I don't really have the bandwidth to dive
Kyle Hamilton wrote:
Please tell me how to completely disable all Mozilla Foundation
included CAs without having to individually change the trust settings
on all of them? I can't trust Mozilla's certificate policy to protect
my interests -- I can't trust Mozilla's policy to ensure that
Eddy Nigg (StartCom Ltd.) wrote:
Yes, this is a good argument in favor of EV and EV is exactly intended
for that. Just a pity the rest of the public PKI is left broken, no
matter what the reasons are (by design, lack of interest, commercial
interests, etc), because there is more to protect
Gervase Markham wrote:
Frank Hecker wrote:
It's a reasonable proposal, and we did look into doing this.
Unfortunately there are .com domains and perhaps other non-.kr domains
with certs issued by CAs in the KISA-rooted hierarchy. This is not
unique to KISA and Korea either AFAIK.
I
Frank Hecker:
Gervase Markham wrote:
The EV distinction is clear. And EV exists precisely because the line
between DV and IV/OV is fuzzy, and it would have been very difficult to
correctly discern the difference programmatically.
This is a key point worth emphasizing. We use the
Eddy Nigg (StartCom Ltd.) wrote:
Frank Hecker:
(As a side note, based on my experience with and reading about
industry dynamics, I think that advances in PKI-related technologies
are much more likely to occur in new protocols and new products than
in mainstream cases like browsing SSL web
Frank Hecker:
I don't want to go off on a tangent, but I think the Skype model is more
significant than you think.
There is a problem that nobody knows what encryption this is and which
keys are involved and who has access to these keys etc.
Skype is fine for me, but I wouldn't exchange
I want people to finally realize that signed and encrypted e-mail has a
much more limited scope than originally envisioned and there is
no policy or technical solution that can change that. Due to the
limited scope of S/MIME the problems associated with CAs do
not really exist. The only public
Benjamin Smedberg wrote:
At the time, I believe I counter-proposed that the government
certificate in question should be trusted to validate the identity of
sites within that country: i.e. a Korean government CA would have a
limited root which could only verify the identity of sites within
Kyle Hamilton wrote:
What do I want?
I want a use-case which expresses why the certificate validation
policies (as implemented by NSS) must be so draconian.
I want a use-case which expresses, clearly, why certificate validation
problems have to be modal and completely disrupt the user's
Frank Hecker:
This brings up a point that was implied by my previous comments in
response to Eddy, but that I want to make explicit:
IMO the reason why we have a CA policy is *not* because the Mozilla
Foundation wants to be or needs to be the CA police, tracking down and
punishing bad
Kyle Hamilton:
On Tue, Apr 1, 2008 at 11:15 AM, Frank Hecker
[EMAIL PROTECTED] wrote:
In the thawte case you cite, thawte changed its practices to start
issuing DV certs from a CA hierarchy not previously used for that, but
its practices were still within boundaries outlined in our
Anders Rundgren wrote:
I want people to finally realize that signed and encrypted e-mail has a
much more limited scope than originally envisioned and there is
no policy or technical solution that can change that. Due to the
limited scope of S/MIME the problems associated with CAs do
not
Nelson Bolyard:
Frank Hecker wrote:
Benjamin Smedberg wrote:
At the time, I believe I counter-proposed that the government
certificate in question should be trusted to validate the identity of
sites within that country: i.e. a Korean government CA would have a
limited root which
Eddy Nigg (StartCom Ltd.) wrote:
How stupid! If that's limited to secure government to government or
citizen to government transactions, how is that limited in the software
or certificate(s)? And what would its use be for the regular, typical
average user? I'm not a government nor employed
First of all thank you for your reply! I understand that each such mail
is an effort and consumes time (know it from myself). I appreciate it!
Frank Hecker:
It's a secondary point, but I don't automatically accept the proposition
that CA practices have gotten much worse since we originally
And in continuation to the other posts I made:
- Do we require an audit in the Mozilla CA policy because we want to
have a third party confirmation about the CAs infrastructure and full
implementation of its policies or do we require an audit just for its sake?
- Do we require minimal
Kyle Hamilton:
I want a user interface which allows me -- at a minimum -- to see what
CA signed a given certificate, how that CA is in my store (whether it
was provided by Mozilla or the administrator or through my own
action), the subject of the certificate, and the validity period of
the
Frank Hecker:
Microsoft has taken an interesting approach to this problem, one that I
think is worth discussing:
[F]or government CAs who issue certificates to secure government to
government or citizen to government transactions, Microsoft will accept
a statement from a government or
Eddy Nigg (StartCom Ltd.) wrote:
But our Mozilla policy hasn't kept pace with the developments of the CA
industry and that of its browser, except the addition of the EV
criteria. Effectively the Mozilla CA policy remained static since its
introduction, which is perhaps desirable (that a
I've seen during the last two years, serious work is basically
non-existent).
I came to the decision to write this mail and raise these questions,
because I felt it somewhat pointless to provide my expertise upon the
mail from Frank with the title Audit requirements for government CAs,
without
As I implied in my previous message about the KISA request for inclusion
of its roots, government CAs can pose special problems in the context of
our current Mozilla CA policy, and I wanted to take the opportunity to
discuss the topic briefly, since we may want to consider future changes
to
22 matches
Mail list logo
