Kyle Hamilton wrote: > You all seem to be frighteningly disconnected from the realities of the > situation if you're still arguing the minutae of trust models allowed by > CSPs. I lost my faith in the process you're trying to follow long ago.
We're all aware that the traditional SSL/PKI/CA mechanism/model/industry has major problems in both theory and practice. Nevertheless, SSL exists, CAs exist, and we have to deal with them one way or the other. As evidenced by past discussions in relation to our Mozilla CA policy, some people are basically of the opinion that it doesn't matter anyway, and we should just not worry about vetting CAs; other people think it's vitally important that we hold CAs to very strict standards. The present Mozila policy and its application in practice essentially are attempts to find a middle way; like all compromises, these attempts by nature will annoy almost everyone and satisfy almost no one. (And I count myelf among those annoyed and not satisfied.) We also have the problem that the cure (removal of root certs) is often seen as worse than the disease (problems with particular CAs), in the sense that the actual security threat to users is perceived as not justifying provoking user annoyance at having a whole set of SSL sites suddenly stop working. So instead of going with the "nuclear option" of removing root certs, in practice we've fallen back on the alternative of nagging CAs to improve their practices (of which the issue at hand is yet another example). I harbor no illusions that nagging CAs is going to "fix" the SSL/PKI/CA problem, but I think it has been useful to some degree in terms of getting CAs to publish better information, make changes to some practices, and so on. I can't speak for other people, but in this case (WISeKey) I think it would be useful to have a little more information about what's going on with regard to these customer-hosted CAs, without necessarily thinking that that information is going to radically change my view of the situation one way or another. I'll look again through the information WISeKey has provided already (which is a fair amount), and then ask a few more questions if needed. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
