On Feb 9, 2008 8:50 AM, Frank Hecker <[EMAIL PROTECTED]> wrote: > We also have the problem that the cure (removal of root certs) is often > seen as worse than the disease (problems with particular CAs), in the > sense that the actual security threat to users is perceived as not > justifying provoking user annoyance at having a whole set of SSL sites > suddenly stop working. So instead of going with the "nuclear option" of > removing root certs, in practice we've fallen back on the alternative of > nagging CAs to improve their practices (of which the issue at hand is > yet another example).
See, that's the problem... there's also a conflict of interest in Mozilla (and the other browser vendors). They have to maintain market share, which means ensuring compatibility -- even when the compatibility flies in the face of one of the reasons why the CA program exists in the first place (basically, it was started by Netscape to make it possible for people to have faith in the identities of the entities they were giving their credit card numbers to, in order to facilitate electronic commerce). The end result is that anyone who chooses to spend a hundred thousand bucks or so on a single audit can then go around selling the benefit of their inclusion in the trust list to the highest bidder without fear of repercussion. Which is what they've been doing. And nobody has the balls to stand up and say "user security is more important than user convenience". (In addition, roots have been sold to other companies, which have not passed continuing conformance audits.) With this kind of a view, it's more of a "you have to have money and spend money to make money" game than any kind of attempt to adhere to the principles that actually allow the system to be 'secure'. Without fear of delisting and decertification, CAs are running roughshod (not just 'are going to run roughshod', but 'ARE RUNNING roughshod'), making a farce of the process and the 'trust' in place. Without a clear view of user security held by a majority of the Mozilla Foundation board, everything that happens on this list with respect to CA inclusion requests is as effective as pseudointellectual masturbation. Not that my vote counts for anything since I'm not a member of MoFo, but until these issues are resolved I must vote 'nay' to any additional inclusion requests under the current guidelines. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
