Nelson Bolyard wrote:
> Wow! I'd say that a CA that says "You cannot rely on our certs for
> eCommerce" should not be trusted for SSL by default in Mozilla products!
>
> Of course, that's a policy issue. Frank, what do you think?
It is a policy issue, and we've had this discussion before. My point has
always been that SSL certs have multiple valid uses, and enabling online
purchasing and other financial transactions ("ecommerce") was one such
valid use but not the only one. Another valid use is using SSL to
provide extra security for non-financial applications, e.g., to encrypt
authentication information (passwords) and transaction data over the
wire, and to provide a measure of protection against DNS spoofing. IMO
domain-validated certs are adequate for this purpose, and that's the
major reason I argued that they be included under our policy.
I think the statement Eddy references is basically a case of Comodo
being honest and admitting that LiteSSL certs are adequate for some
purposes (e.g., securing a low-value personal or small group site like
my own) but not for others (e.g., running an online store). That
statement strikes me as unexceptional.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
