Ian,
Ian G wrote:
If you follow the KCM logic, you would have to give an application
warning, which is completely unwarranted under current standards.
If the new cert is unauthentic, then it would cause some form of alert
that would be entirely warranted. Currently, a false cert will slip
through without any change.
For what definition of false ?
Right. But look at the end-user's question in another thread. It isn't
being answered. The issue here is that Firefox is acting like a
blackbox, and can't be seen inside. The equation is too complex.
Well, that black box is still open source and you can still tell what
it's doing if you care about every level of detail.
Were you following the threads of December? Approximately three cases
of trickiness. I'm not saying that the PKI is about to meltdown, but
some of the flaws in the system that we've know for a long time became
apparent. And no solution in site, except more of the "trust me" rhetoric.
I have been reading most the december threads this week as I came back
from vacation. Not every line, but most. And I have to agree that some
CAs are broken. And in those cases, the solution may be to distrust as wel.
It is policy, more or less, that end-users don't get to trust a
particular CA. They only get to trust Firefox's black box magic, and if
they lose, they lose. Just how inspiring is that?
You have to come up with a default. Any default list of CA certs is
better than none. Where do you expect the average user to obtain the
list of CA certs they want to trust externally ?
It is policy, more or less, that *any* CA's cert is good.
Not at all. That's why there is a Mozilla CA policy, and some CAs are
shut out. You need to have at least some audits. Not saying that those
are perfect - obviously they can miss things, but they are usually still
better than nothing. If the audits are worthless, then there is a
problem and better auditors need to be found ...
It is policy, more or less, that nobody accepts the responsibility for
this.
Do you believe in all that?
No, it shouldn't be. Certainly the CAs should accept some responsibility
for the certification services they offer and charge for. I believe some
do contractually.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
