On 11/09/2008 08:38 AM, Kyle Hamilton:
Because you're assuming that everything that occurs in this world exists in a corporate environment, Eddy.
Well, I didn't meant only the corporate, but also any hobbyist geek. Those are, which lament against PKI in general and promote self-signed certs.
I don't care who you are, what interests you represent --
I represent the interests of anybody seeking a secure Internet and better reliance and productivity. I personally invested time and money to provide the services StartCom does and the way it does, mainly because I realized that an alternative to the established CAs must be offered in order to improve overall security and reliability. The StartCom CA wasn't established with the goal to further facilitate the establishment and their cause, but to provide an alternative. Just as a reminder, in 2004/5 digital certificates weren't so cheaply available as today...
Now I'm interested in getting rid of self-signed certificates if possible. They undermine "legitimate" certificates and put the majority of users under an unneeded risk. That's one of my goals today!
Do you really think that I or anyone else am going to be willing to limit our behavior to those things which an entity which isn't even a government is willing to assign authority for?
Browser vendors effectively govern CAs and with it all digital certificates. It's a fact and it's in their hand what they do with it. I recognized that power very early and planned accordingly. You can bang your head against a wall - it won't help.
Personally I feel that they do it quite right and have reasonable requirements - first and foremost Mozilla.
(And since it's as easy to generate a client certificate which is signed by the user's self-signed CA certificate, you can't simply say that you would let any certificate that wasn't signed by itself have something of a pass in the trust evaluation -- it would chain to an unknown root, which would present the same issue as a self-signed root.)
No! It's much better than that, because it requires you to explicitly ask the user to trust the CA root. This way users can "self-organize their own networks" as you requested earlier. Anybody willing to trust you or any other CA can install the root, benefit from your decisions and procedures and you even have the ability to revoke issued certificates. No UI will prevent the install of the root and no error screen will appear thereafter.
And that's much better than having to trust a self-signed certificate on-the-fly because somebody got directed to a certain URL.
BTW, the only certificates which should be self-signed should be roots, as you quite well know - that's how PKI is implemented. And roots shouldn't be used to secure web sites or to sign email's. Actually it would also show something about the least capabilities of the issuer of the cert...
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
