Anders Rundgren wrote:
http://www.mozilla.org/projects/security/certs/policy
From what I have seen on this list there has been a lot of talk about
inclusion of various CA root certificates in the Mozilla distributions.
IMO, most of these CAs are insignificant except for SSL certs.
Well, to some extent one could argue that the same applies for SSL
certs. The original purpose of SSL certs was to encrypt credit cards,
and while a fair bit of that goes on, the new use of *importance* is one
where the authentication requirements are king: online payments (and
banking, stock, etc). That is, phishing being a failure of
authentication, not encryption, indicates that anything that might
improve authentication might help phishing.
Now, it could be argued that if there is a real need to provide real
protection, then EV might be the direction. It is only O(10000) sites.
If this is indeed an argument that is accepted, it suggests a lowered
bar for all the rest.
As I understand it, this is Mozilla's current posture, albeit unwritten.
Why? Because the vast majority of organizations (in the rare situation that
they use client-side PKI), actually issue their own client-certificates.
BTW, I don't see that other providers of security software are particularly
anxious extending their preconfigured trust lists.
Right, this is a challenge to the concept that all CAs are the same.
Clearly they are not, but can they be made the same? Your argument
would be that they are not in a client-side, geographical context. The
EV argument would be that they are not, in a server-side authentication
context.
Some of the CAs like the recently discussed Hungarian CA also seem to
be a of local interest in the same way as the 16(!) qualified certificate
CAs operating in Italy.
Yes. Qualified CAs do not represent a difficulty for Mozo, IMHO, as
they are well regulated already (although recent discussions indicate
there are clashes between PKIX and qualified approaches at the technical
level).
Anyway, if the goal is establishing a user/client-level CA trust list, Mozilla
is not even close and that IMO makes the whole idea somewhat less
powerful.
What Mozilla's goals are in security is obviously a hot topic :)
It doesn't matter if it is wrong, stupid, or unsecure, but for consumer
authentication local / private PKIs rule, and I don't see that changing
due to things like business models, liability concerns, and cultural
differences.
Business models: well, the best we can do here is to surface the
different interests. The problem I see here is that in security, nobody
speaks for the user. It is mostly corporations, speaking as if.
Liability: this is a huge issue that all should look towards. CAs set
liability to zero, approximately, in general. Mozilla should do the
same. Once this is done, it removes a false barrier that we keep
tripping over; and we can better add value once it is gone.
Cultural: I agree it is a barrier. The Europeans and North Americans
don't see eye-to-eye in PKI nor security. I have no easy answer to that
one.
All of which supports your claim that, for consumers / individuals,
local / private PKIs rule.
I do not intend to respond to this posting because I understand that
this is a sacred cow, and I do eat meat :-)
As I've written at length elsewhere, the goals in security are not
aligned well with other goals in open source, open internet and
peer-to-peer communications.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
