Gervase Markham wrote: > > No, but it does tell you whose door the police can go knocking on if he > logs into your online banking and steals all your money. > > Identity is a reasonable proxy for intention, because criminals don't > want to be caught. > Except that you would need to review all the code before it was signed, > not just at the beginning, and (in the case of malicious intent) find > things the code did which the code author was intending to hide from > you. Which is impractically expensive and time-consuming. > Absolutely right! This is the logic about code-signing certificates, something which many seem to ignore here... >> But we know in advance no process with be perfect. So what's really >> important is to have the absolute garantee that his certificate gets >> revoked as soon as you decide it should. And very efficient >> dissemination process for revocation information, relying on the user >> downloading tens of crl from various CAs will never fit the bill. One note concerning that: A CRL gets downloaded whenever a certificate from the specific CA is encountered. Also CRL are valid for a certain time, so there isn't a need to "download tens of CRLs"! Obviously CRLs are not really flexible that's why OCSP responders are (going to be) used. OCSP provides almost instant information about the validity of a certificate and will be by default used in Firefox 3.
But I don't believe that the Mozilla foundation has an interested in running a CA, because this entails much more than publishing a CRL....Usually those are complex systems with very high security requirements and regulations. I guess that Gerv has a lot of knowledge on this subject and can confirm that this isn't an option... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
