Hi Kyle, Kyle Hamilton wrote: > I'm just going to point out something that a couple of friends > recently pointed out to me. The business models of commercial CAs > involves what is essentially "selling trust". > > If you look at the fact that they have no real accountability, no > procedure in place in any of the browsers to revoke their trust as a > matter of policy if they violate their CSPs, and a need to maintain a > positive cash flow, you will quickly see that there are severe > conflicts of interest inside the individual organizations. > I'm aware of that very much! > (If you don't believe my assertion that there is no means to remove > root certificate trust as a matter of policy, I am still waiting for > action on Thawte's issuing of SSL123 certificates by a root which had > a CSP which stated that no SSL server certificates would be issued > without at least "medium assurance" of identity. This issue was > brought up before I moved to my Mac as my primary machine, so over a > year and a half ago.) > Of course I'm understanding your disappointment of such a violation. However the Mozilla CA policy defines only a minimum requirement in its policy, should this one be breached, it would be a reason for removal. There is, to my very big disappointment, no way to distinguish between domain validation and identity validated and/or organization validated certificates. The only thing which exists today is EV and all the rest. > Frankly, this entire discussion is utterly and disgustingly ludicrous > in light of this. > Ridiculous? I think, placing a CA root (even with limits) into just anybodies hands without any verifications and controls in place is unacceptable. So why should any CA bother to provide third party attestations, not speaking about actually writing and implementing a policy etc.? Because some CAs had sloppy procedures in place before that? > Add to this the fact that there is no legal recourse available for > "relying parties" if the CA somehow fails to live up to its CSP, and > the entire argument falls completely on its face. > I agree that it's difficult, but not impossible. But you can't sue a CA which told you upfront what they are not going to do. In this case they tell us quite frankly that they have no intention to perform any acceptable controls and verifications. Their CP/CPS says so and with being that the legal framework, you can't even thinking about suing. > You all seem to be frighteningly disconnected from the realities of > the situation if you're still arguing the minutae of trust models > allowed by CSPs. I lost my faith in the process you're trying to > follow long ago. If this is the case, we should allow any CA into NSS, most notably a certain Australian project. The barrier would be a self-audit, as in the case of the WISeKey subordinate CAs.
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
