I believe that Startcom (and other certification authorites in Mozilla's root program) would likely have cause to bring an action for the tort of negligence against Mozilla. I feel that this is something that Mozilla should likely ask its general counsel very quickly.
0) Comodo is plainly found to have derelicted its duty to uphold the Mozilla CA agreement. As a result, damage to the trust in the PKI occurs, causing people to look outside of the PKI for solutions to the problems that encryption and authentication can solve. 1) As a result of this Startcom and other CAs in the PKI have a reduced market for their products. (damage) 2) Mozilla has the authority and ability to remove CAs from its trust list if and when they are found to be negligent in their duties. It, as an organization which attempts to vet the CAs that it includes in its PSM and which has policies which allow for it to take action should the policies be breached, has accepted the duty to remain diligent. (duty, and proximity of duty, since in order to get into the program in the first place all CAs in the PKI must accede to Mozilla's demands of trustworthiness.) 3) Mozilla fails to remain diligent, and fails to remove trust bits upon notice of dereliction. (causation, which leads to the trust in the PKI being eroded further.) I am not a lawyer, this is not legal advice, etc. I'm trying to prevent Mozilla from having problems. -Kyle H On Tue, Dec 23, 2008 at 2:05 PM, Paul C. Bryan <em...@pbryan.net> wrote: > Presumably it was Comodo that underwent an audit to be added to > Mozilla's roots, and Comodo should not be allowed to delegate trust to > their resellers for domain validation. If, today, trust is delegated > to their resellers, then we can't trust Comodo, period. > > Although disruptive, their trust bits should be suspended. The > explanation to users: "The CA purporting to provide assurance about > the site you are trying to visit cannot be trusted. Please contact the > site operator and advise them to find a trustworthy certification > authority." > > Yes, perception is that Mozilla releases code expressly to "break" > access to legitimate sites, but this is because a trusted CA has gone > rogue. Users can still jump through hoops to expressly include the > site's certificate and keep going. > > The trust model for browsers should be fail-safe, even if this > inconveniences users. Better that than me and countless others > inadvertently exposing my credentials to a site pretending to be my > bank, investment house, government revenue agency, etc. > > If Mozilla doesn't pull the trust bits, what's it's accountability for > any breaches that occur due to keeping the bits? With assurance must > come liability, whether from the certification authority, or those who > are implicitly trusted with vetting them. > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
