On Sat, Nov 29, 2008 at 3:57 PM, Frank Hecker <[EMAIL PROTECTED]> wrote: > Anders Rundgren wrote: >> >> From what I have seen on this list there has been a lot of talk about >> inclusion of various CA root certificates in the Mozilla distributions. >> >> IMO, most of these CAs are insignificant except for SSL certs. > > I'm not sure your intended meaning is. There is no significant use of > CA-issued certificates on the public Internet other than for enabling > SSL/TLS.
So why is there so much bitching about S/MIME? Oh yeah, it's cuz it's supported by another Mozilla app. > The primary reason CAs apply to have certificates included into NSS, and the > primary reason we have a policy about this, is because CAs want their > customers' SSL certificates recognized in Firefox. Then Firefox should fork its version of NSS and manage its own certificate trust list. Since there are other clients of NSS, though, NSS has taken it upon itself to manage its own trust list, "on behalf of" those organizations that use it, whether those organizations want to use it or not. >> Why? Because the vast majority of organizations (in the rare situation >> that >> they use client-side PKI), actually issue their own client-certificates. > > Yes, because almost all use of client certificates is in enterprise > networks, not on the public Internet. Gee. Maybe it's because the public internet doesn't rely on business-flavored security. Maybe the public internet actually needs some cryptographic mechanism that doesn't have the same presuppositions (and thus the same failures). For all that Frank and Nelson seem to be worried about the user experience, they sure seem not to lobby for improvement all that much. >> BTW, I don't see that other providers of security software are >> particularly >> anxious extending their preconfigured trust lists. > > To the contrary: Microsoft has an active program evaluating and accepting > new root certificates for inclusion into Windows. They do it for the same > reason we do: because CAs, web site operators, and users themselves don't > want to see errors occur when connecting to SSL-enabled web sites. I'll note again that I very much like Microsoft's means of adding things to the default trust list (as of Vista): MS has a certificate that's marked for "trust list signing", and every trust list they send out with every update to it is signed by that key. That means that you just have to de-trust that certificate, and you suddenly don't trust the list they sent. If MS can run a CA like that, why can't Mozilla? I'd like to see Mozilla be able to rely on the technological capabilities already extant in NSS (by revoking a certificate) rather than relying on a client update to simply remove the offending bundle of bits. (That last, by the way, may actually stymie law enforcement, by violating the forensic boundary.) -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
