First, Microsoft has already become a CA (multiple times over), and they arguably do more things related to maintaining the trustworthiness of the PKI than Mozilla does.
However, I believe that spamming is reprehensible. I also believe that the only reason that spammers actually spam is because of the very low cost of sending out UCE, which means that only 1 of 50,000 spams needs to respond to make a profit. In order to reduce the effectiveness of this flavor of spam (which only exists because the company has been accepted as "trustworthy" by Mozilla, Microsoft, Apple, Opera, and the Konqueror team), the only way to make it less profitable for them is to remove one of the pillars upon which they base their spam. Specifically, the only way to make it less profitable is to cost them their browser support, which would render their CA services valueless. If Mozilla tolerates this (and I am specifically stating this as Frank is capable of making at least some policy choices on behalf of the Mozilla Foundation), then what else will it tolerate? Spam is a proposition which is more damaging to user security than any PKI attack can be -- it is a proposition which is essentially a denial of service attack against their email boxes. (Remember, 'availability' is one of the things that has always been part of all of the security protocols that the IETF evaluates -- in this case, though, the processing power of the user herself is being abused.) Also, does Mozilla want to go on record as tolerating spam? -Kyle H On Sat, Feb 28, 2009 at 9:16 AM, Frank Hecker <hec...@mozillafoundation.org> wrote: > Eddy Nigg wrote: >> >> I suggest to Micorosoft and Mozilla to make it a policy requirement of CAs >> to refrain from spam and sending of unsolicited mail. > > In my original "CA certificate metapolicy" document from 2004 > > http://hecker.org/mozilla/ca-certificate-metapolicy > > I wrote the following: > > 18. ... The [Mozilla CA certificate] policy should not arbitrarily > exclude CAs from consideration based on factors such as the CA's > size, reputation, *business practices not related to certificate > issuance*, profit or nonprofit status, geographic location, and the > like. [emphasis added] > > As part of the discussion of the metapolicy, I wrote the following in > response to a comment from Ben Bucksch stating that he didn't want roots > included for a company "proven to be ruthless", and asking whether we'd > accept Microsoft as a root CA: > > I wasn't proposing to ignore the CA's track record specifically > as a CA, I was referring instead to the CA's general reputation as > a business. To answer your hypothetical question: if Microsoft acted > as a CA, and if Microsoft properly did the things one would expect a > CA to do, then why should their root CA cert not be included? Whether > Microsoft is a "good" company or "bad" company in terms of other > non-CA-related business practices (for example, the sorts of things > that got them in trouble with the US and EU) is IMO of little or no > relevance. > > http://groups.google.com/group/netscape.public.mozilla.crypto/msg/45e7135322b15f4c > > So, consistent with my position back then, I am *not* in favor of our > imposing a policy requirement that CAs (or their resellers) not engage in > spamming. It's not directly relevant to a CA's performance as a CA. > > Frank > > -- > Frank Hecker > hec...@mozillafoundation.org > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
