I just want to add a thought or two after following this thread from the sidelines...
Paul Hoffman wrote: >> I don't know if I like the idea of saying that a commercial >> organization has more authority to identify for global commerce than >> any individual government, though. >> > > Exactly. I strongly suspect that KISA would do a better job at > checking identification of a Korean company in .com than the CAs in > the lowest quartile of capabilities whom we fully trust to do so. CAs obviously rely heavily on government issued identification documents and registrations (of organizations). They are the number one source for verifications by regular CAs. In that respect a government might do the best job (exceptions are of course fraud performed by its own citizens, agencies etc). On the other hand, can the government of one country perform verifications of an identity of a different country? Yes it can do that, the same way as regular CAs perform this job. The question is, if and how the government in question performs such verifications, what does its CA policy say about that and if this policy has been confirmed in some way...Are these documents public? How does its public key infrastructure look like? What are the criteria and issuance policy? I think, this should be the guidelines for considering regional/any CA. I think that section 6 of http://www.mozilla.org/projects/security/certs/policy/ makes it easy: * provide some service relevant to typical users of our software products; * publicly disclose information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement); * prior to issuing certificates, verify certificate signing requests in a manner that we deem acceptable for the stated purpose(s) of the certificates; * otherwise operate in accordance with published criteria that we deem acceptable; /and/ * provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations. Does the government CA in question have a service relevant to a typical users? Yes or no? Publicly disclose information about their policies and business practices? Yes or no? And so on... I that respect a government run CA might or might not confirm to the basic criteria of the Mozilla policy. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
