* Eddy Nigg: >> just because CAs start to play games with each other. This is not >> about "security proper". You're trying to pull us into a PR attack >> on one of your competitors, thereby willingly reducing confidence >> in ecommerce. (I'm exaggerating a bit, of course.) > > Exactly the opposite is true. If at all, I'm trying to encourage > responsible competition on *equal* footing without compromising the > security of the relying parties. It needs just *one* CA to devalue the > collective work of browser vendors, certification authorities and > cryptography specialist. Only one! Unfortunately some CAs take their > responsibilities less serious than others - which in turn gives them a > competitive advantage.
I can understand that point of view. But what you seem to be asking is that browser vendors take the role of judges, regulating CA behavior. Shouldn't that be better left to the court system, keeping Mozilla out of the loop? What advantage does Mozilla gain by acting as a judge on day-to-day operations of CAs? It might make sense to demand additional elements in the CPS for future root additions, and re-audit existing roots. > CAs (should) have controls in place to prevent that from > happening. Could you explain what you're doing in this area? (A "no" is perfectly acceptable because nothing you can do is totally secure, so keeping the mechanisms secret actually buys you something.) Anyway, one thing that comes to my mind is domain control verification over multiple communication channels, perhaps by injecting multiple email messages at different points of the Internet, to make at least sure that any hijacking is rather close to the subject. But I don't think you have to answer to multiple mail challenges for DV certificates. > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=460374 There might be a legitimate business reason to do this form of interception (doing this to get "free AV" is quite common, I suppose). But I agree it's interesting. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
