Re: Unbelievable!

Fri, 26 Dec 2008 15:13:15 -0800 

On 26/12/08 02:28, Gen Kanai wrote:


On Dec 26, 2008, at 1:49 AM, Frank Hecker wrote:


Beyond that? It's somewhat of an open question.

Frank


Mozilla needs to have a concrete policy and procedures in place so that
there is no question as to what the penalties would be for future
actions of this kind.



Penalties ... tough talk, but what does it really mean?


Basically, all that a vendor can do is to drop the root.  (Ok, we can 
fiddle with the trust bits, but it seems a little but like fiddling to me.)



In short, it is DROP or NIX.  Can we say, "blunt weapon" ?  Either the 
vendor is small, so it matters not, or the vendor is huge, and it 
matters a great deal.  (In that latter case, it then matters a great 
deal to the CA.  It could be a deal killer.  E.g., bankrupcy.  Which 
means, Mozilla has to get that *right* or it faces another issue, 
further downstream.  Deep pockets plus aggressive liquidator equals 
not-nice maths.)



How does Mozo make the "right" decision here ?  Part of the problem in 
making it "right" whatever that means is that according to classical 
browser PKI it is not the responsibility of Mozo or any other vendor to 
do anything, let alone deciding what "right" is.


Classically, this is the policy, in a nutshell:

    CA sets up.
    CA gets audited.
    some technical things are checked...
    root is added.


It is that second part that is the clue:  the audit.  It is the audit's 
area to check whether the CA is following some sort of policy or 
practice or compliance.



So, if there is a failure, the first question to ask is whether this the 
failure is in the Audit's responsibility, or whether it is a vendor 
issue?  It might be one, or the other, or BOTH.  Certainly, in the 
current case, the vendor does not have the information to make a 
decision, whereas the Auditor might reasonably, having been in there and 
kicked the tires?




(Although I think, it is a singular observation:  there is no effective 
dispute resolution for this case or any other.  What does that say?)




iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to