On Tue, Apr 1, 2008 at 11:15 AM, Frank Hecker <[EMAIL PROTECTED]> wrote: > > In the thawte case you cite, thawte changed its practices to start > issuing DV certs from a CA hierarchy not previously used for that, but > its practices were still within boundaries outlined in our policy (which > does allow issuance of DV certs). So I don't really see a security issue > here in terms of how this would affect typical users. >
Great. I certainly hope this is an April Fool's joke, but I have to proceed on the basis that it's not. So... Please tell me how to completely disable all Mozilla Foundation included CAs without having to individually change the trust settings on all of them? I can't trust Mozilla's certificate policy to protect my interests -- I can't trust Mozilla's policy to ensure that strictures that I originally relied on in the certificate issuance policies haven't been relaxed, thus compromising my own ability to trust the certificate issuers involved. Alternatively, please tell me how I can auto-accept any presented root certificate in Firefox? It seems I have exactly two levels for trust here: I can either do due diligence and examine the certificate issuance policies of each and every vendor every time I get a certificate issued by them (since, as the Thawte example shows, certificate policies can change for the worse at any time with no direct information of people who would otherwise rely on their certificates), or I can accept anything on the concept that the only reason I as a user would need to know about it is if I were going to pass my credit card information to someone who shouldn't have it -- but since there's no liability or exposure to me from my credit card, I don't need to worry about it. What's the functional, least-astonishing difference between domain-validated certificates not intended for commerce, and higher-integrity certificates intended for commerce? What extension exists to mark a certificate as being DV? What extension exists to mark a certificate as being intermediate validation? How can I, as a user, determine if a certificate is DV versus IV or OV or EV without having to fight the user interface to find the information? I've seen DV certs being used on sites that ask for commercial information. The problems exist -- and you're hiding behind a (demonstrably broken and problem-laden) policy to ignore all the problems. So, I want to opt out of relying on your policy, and I want to opt out of these strictures which serve only to maintain the dominance of a market sector which exists only for the purposes of extortion from people who want to try to do the Right Thing[tm]. -Kyle Hamilton _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
