Risk management, Gervase. If a company/domain-owner can securely identify what CA they use, that prevents any other CA -- even one who ends up inadvertently issuing certificates contrary to their CPS -- from causing damage, and thus lowers the risk of any individual CA that may be in any given browser from blundering. These lists of CAs are huge, and protecting from 120 possible threats by denying all by default and adding explicitly-trusted-by-server-to-identify-server CAs to the "allowed" list one at a time... well, let's just say that it's a lot harder to get an inside man into one specific company than it is to get an inside man into any of the companies on the list.
(And since the list of "trusted" CAs on the client is unknown, it's entirely possible that the Chinese Firewall exists -- a bunch of proxy servers that are trusted for every domain in the world. If one could signal that the only acceptable CA for the domain was not Chinese Firewall-type, then one could know that, for example, you'd never have to worry about the Chinese police trying to extradite you for speech which is free in your country, but which is anathema in that country.) ...but then again, with the Chinese Firewall theory, you also get the Brain In A Vat scenario, where you'd never be able to tell if your input was bogus. -Kyle H On 8/18/06, Gervase Markham <[EMAIL PROTECTED]> wrote:
Balint Balogh wrote: > Without this security measure, any CA that has its certificates in client > software has the power to thwart SSL/TLS security by issuing fake certificates > claiming to belong to *.example.com servers or email addresses. If you think they might do that, why might they not do it for other domains your users use (e.g. their bank)? Surely you either believe a CA is trustworthy to correctly issue certificates for websites or it isn't? Or are you concerned that a rogue employee at an otherwise honest CA will have a particular wish to undermine your company and employees and will cause a single bogus certificate to be issued as part of his campaign to target you? Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
-- -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
