On 10/10/2008 01:48 AM, Ian G: > > Weeeelllll.... whatever it is, you'd like it; read on. >
Actually I did :-) > > IN CONSIDERATION OF YOUR AGREEMENT TO THESE TERMS, YOU ARE ENTITLED > TO USE VERISIGN INFORMATION AS SET FORTH HEREIN. > > https://www.verisign.com/repository/rpa.html > > Now, curiously, unless we agree to that text, we can't even rely on > that agreement, let along certs, due to its broad commentary, my > emphasis above. That even applies now that the RPA is delivered > under a pretty green cert ;) It's certainly an "interesting" approach Verisign took here...I think Rick Andrews happens to be on this list or somebody else from Verisign can comment on it. However for what it's worth, the agreement itself is more or less what I'd expect (rpa.html). The RP obligations are reasonable: As a Relying Party, you are obligated to ensure the reasonableness of your reliance on any VeriSign Information by: (i) assessing whether the use of a Certificate for any given purpose is appropriate under the circumstances; (ii) utilizing the appropriate software and/or hardware to perform digital signature verification or other cryptographic operations you wish to perform, as a condition of relying on a Certificate in connection with each such operation; and (iii) checking the status of a Certificate you wish to rely on, as well as the validity of all the Certificates in its chain. In the end of the day all the legalities are only necessary in case something goes really wrong, in which case an RP might or might not be tied to this agreement (it still has to stand up in court first). Also Verisign makes explicit reference to their liability (limitations) which sounds to me reasonable too. (I'm not here to defend Verisign, but I'm commenting on it nevertheless) > > I'm not Mozilla, so I guess we have to ask: Frank, is there any > such agreement that explicitly gives Mozilla permission to RELY? > I think this should be granted. It's a good point, but certainly also a solvable one. > I don't think there is an agreement, and I think the reason is > historical, not nefarious, these things just weren't thought about > way back when, and it is an acknowledged fact that there hasn't been > so much (if any) review of grandfathered CAs. > Yes, even though Verisign went through the same procedures as every other CA with their last request for upgrading to EV. > Does it want to impose this on Verisign? Eddy, I guess you are > happy to take on that (having expressed those opinions) .. but what > about the others? Lets hear about those... > (That is my assumption; the authors > were probably not directly thinking about certs. Either way, it's > the only guide I know of, because the policy doesn't address this > question.) > Another good point to pick up... > OK, I'm not enough of an expert in agency / principle legal theory > to fully understand what the above "take care of it" approach does > when contrasted with the real agreements in place. Technically NSS (in Firefox) does perform the RP obligations of the Verisign RP agreement. The legal requirements bound to their agreement (which doesn't have to stand up in court, but isn't hard to prove either when using Firefox) might need some review. > OK, we should check EV to see what it says. > There are no RP agreements but limited liability per RP. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
