At 10:10 AM +0100 5/28/07, Gervase Markham wrote: >Paul Hoffman wrote: >> Exactly. I strongly suspect that KISA would do a better job at checking >> identification of a Korean company in .com than the CAs in the lowest >> quartile of capabilities whom we fully trust to do so. > >But do we fix that problem by allowing the Korean government-audited CA >to testify to the identification of anyone, or do we fix it by raising >the standards of identification for existing CAs?
The former. We do not have any experience in the latter, we do not have the manpower to enforce the latter, and we take on a fairly hefty financial responsibility if we choose the latter. If we allow the end user to truly be their own CA (and that takes a fair amount of UI design, review, and coding), we allow the end user to trust others to vet the standards of identification for existing trust roots. The end users interested in this might trust someone who does have the experience, manpower, and responsibility for doing that to advise them on which trust roots to use. For example, a large corporation might tell its employees, or a government might advise its citizens, "these are the trust roots we have audited to bind these types of identities". The current setup, where Mozilla and Microsoft and so on, do some light-weight vetting, is fine for most users in most situations. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
