Gervase Markham wrote: > David E. Ross wrote: >> Face it: some governments are corrupt. Others are not corrupt in the >> sense of officials taking bribes and acting on their self-interests, but >> they act in ways that western democracies might find offensive. In >> this latter group are nations that practice or at least allow genocide >> within their borders or that deny their citizens basic civil liberties. > > And denying the citizens of other countries basic civil liberties by > locking them up without trial on a Caribbean island is just fine and > dandy... > > Of course, the UK can't talk. We are putting some of our citizens under > "control orders", which is basically a way of denying your liberty > without a trial as well. > > Still, both examples go to show that the bright line you draw isn't > quite so bright. > >> Some would include those nations that stiffle dissent by censoring the >> Internet; > > Such as the banning of auctions of Nazi memorabilia? > >> others would include nations that ignore international >> treaties regarding patents and copyrights. > > Of course. When making the decision between saving your people's lives > by making generic AIDS drugs, and respecting international patent > treaties, clearly the right choice is... > > The line blurs further. > >> Across this wide spectrum, >> what is common among all of these nations is a disregard for integrity >> and ethical behavior. Can we trust them? Can we trust them when they >> certify a CA? > > Can we trust a CA in their jurisdiction? Can we trust the integrity of > an auditor in their jurisdiction? What's to prevent the NSA knocking on > Verisign's door and saying "give us your root private key. And don't > tell anyone we were here"? Why do you think rsync.net has a Warrant Canary? > > Many of our CAs are in the US. Yet there are people and governments out > there who do not trust the US at all. So what are we to do? One possible > answer is to say that the default Mozilla root store is not populated in > a way that guarantees the privacy of your secrets from governments. If > you wish to have such privacy, you may need to make changes to the store > yourself. > >> How can you write an objective policy that allows secret government >> certification of a CA and also weeds out governments that cannot be >> trusted? > > How do you define "governments that cannot be trusted"? > > Gerv
Your last sentence is exactly my point. It would be very difficult to create an objective policy that allows some governments to certify CAs but not allow others. This is true without regard for the issue of secret certifications. However, the issue at hand is whether all governments should be allowed to use secret certifications. If the answer is "not ALL governments", then we must avoid all secret certifications. I still don't understand why either South Korea or France insist that their audits are classified. What purpose does classifying them serve? Yes, I know that governments (including my U.S. government) often classify data and documents without any good reason. However, they also sometimes declassify things when over-zealous classification creates problems. Not only should Mozilla not accept classified audits. We should also put that into the formal policy. Where classifying an audit makes sense (e.g., for a military CA), users and system administrators have the ability to install the affected root certificates without involving Mozilla; in that case, even the existence of the root certificate might itself be classified. -- David E. Ross <http://www.rossde.com/>. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
