"Having said that, neither myself nor the company I run have gained financially from this - currently it seems that all CAs have taken damage. Reckless behavior is ruining our businesses, the trust we try to build and the strengthening of Internet security at large is put into jeopardy. It is my duty to prevent that if possible.
There is no conflict of interest even if the result of my involvement would put a competitor out of business - it's their failure not mine. And with it, they risk the reputation and security of Mozilla and all relying parties which depend on it. " Riiiight. Couple of observations on all of this (having read most all of the other original thread) as a disinterested observor (Full disclosure: I used to resell SSL certs some time back). 1. You kid only your self if you think you have no appearance of conflict of interest in this issue. You do, in spite of your wishing not to. But you are not alone. The prior thread was in full dogpile mode against Comodo by a few who seem to have some baggage against them by the levels of reaction compared to the severity of the issue and its corresponding triage by Comodo. IMHO 2. You would do well to reflect and consider whether or not the complete commodization of domain validated certificates themselves, both by their very nature (email validation of domain ownership. I mean really now), as well as the pricing models employed by the various competitors in the SSL field (yourself notable among them) have not done more harm to the industry, or more specifically the relative level of security, authority and credibility of SSL as a security model, as perceived by users. Once one acknowledges that being a CA is nothing more than a license to print money, subject to independent operational audits, then you can have a meaningful discussion on what 'security' your providing to a user. See EV validation procedures and their corresponding pricing model, compared to Organization Validated certs if you care to refute that statement. Yes, I'm looking at you Verisign. There is such a low barrier to entry for a Domain Validated certificate even when the system works correctly. A couple of bucks to register a domain name with GoDaddy, a couple more (or zero) dollars to get an SSL cert, and any script kiddy worth his salt can now start blasting out "Please login to your BOA savings account to reverify your account info", and hope for a MITM opportunity to pop up on his monitor, DV certs have next to zero credibility on ANY website that purports to protect personal or financial info. You know that I'm sure. There are tons MITM attacks sucessfully carried out every year by crooks who have VALID DV certs on their fraud sites. How do you think RSA sells so many handheld password tokens? Which begs the question of why Mozilla needs to suddenly go into fire drill mode over RA auditing practices with respect to Comodo. Its a joke. 3. I was a little taken aback at the surprise and shock expressed by the resident experts that Comodo RA resellers do DV authentication (or at least, are supposed to as part of their resale agreements). Is this to imply that NONE of the other CAs that have wholesale agreements with third party resellers allow a DV cert to be sold pending CA relegated authentication directly? Are we that naive in 2009? Thawt? Globalsign? Verisign? RapidSSL? GoDaddy? Surely Comodo is not the only one out there that allows their resellers to perform initial DV cert validation subject to CA audits. I can't prove it, but I'd bet $20, the number of primary CAs who do is greater than 1. Someone, it appears, has never taken a look at the Certification Practice Statements of the various CA's I guess (to the extent that you can find them all). I seem to recall that the RSA X.509 spec allows for this type of subservient RA model as long as proper audit controls are in place to maintain verification compliance. In a nutshell, does anyone who declares himself an expert in the SSL industry REALLY think this cause irreprerable harm to the other CAs? Should Comodo tighten up on its audit procedures? Certainly looks that way. But since any primary CA out there who does this probably only does sample audits (are YOU going to pay KPMG their hourly to go through every record out in the field? Not bloody likely), the possibility still exists for that 'rogue' cert to skate by. If total security is paramount, should not all CAs make sure third party resellers validate all domains internally through them? Absolutely, but be careful about the unintended consequences of what that would do the internal costs to the CAs, and the subsequent knock on costs to the channel. It might even raise the prices in the street a little if they all did it at once, somehting positive! However if the X.509 spec doesn't call for it, whos first in line to volunteer to implement it for DV certs? Thats what you have OV and EV certs for, no? And afterall, as all know, money is ultimately the reason in the SSL community for the model you have. Security is like the old analogy about getting race cars to go faster, theres always a way to improve it, but its only limited by how much money you want to spend on it. (fireproof suit - ON) Mark -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
