On 03/24/2009 10:21 PM, Kyle Hamilton:
Hate to say it, but anyone who scans for smime.p7s files on the net
can already do that. The cat's already out of the bag.
What's that? You mean scan for email addresses at large, right? That's
nothing new, but look, as a subscriber one has obligations and depending
on the CA it requires a certain commitment. We haven't heard other CAs
in regards to this idea, but there is more than just the email address
and spam.
Additionally there are email addresses one might own which are nowhere
published. I'm certain you are a privacy advocate, at least so much that
it would bother you to have those emails in the hands of a party you
don't like.
I'll reiterate what I said, with annotation: "You [the CA] must
verify/validate that a given private key [which matches the submitted
public key] can be used to decrypt something [which is encrypted with
that public key] sent to the email address claimed [in the initial
request]." I think this sounds like an "email ping or similar
verification method."
OK, sounds interesting and I'm certain if this idea takes of we can
figure out acceptable procedures.
I wouldn't like to promote the use of un-audited and perhaps insecure CAs,
sorry. Neither does it make sense to use them if the root doesn't exist -
and having the root imported via such a back-door of certificate
import/install utility isn't great either.
I'd like to point out that you're (once again) raising the barrier to
entry to the CA market, without providing any alternative for those
online communities.
There is perhaps situation where those aren't necessarily compatible
with each other. We can certainly have discussion on this issue,
preferable in a different thread since it wouldn't be helpful for this
idea and distract. But of course we need to define the principals which
guide us first and which would receive the most support by all parties
involved (crucial IMO).
As such the Mozilla CA Policy is clear in this respect and this is what
Mozilla decided long time ago. Additionally Mozilla is the most flexible
software vendor in this regard I don't feel like Mozilla needs to
compromise any further on this issue. Neither do I believe we should
promote anything else. You can't have security and require from CAs to
do the audit dance and then throw it out the backdoor as if it doesn't
exist. Either this or that, but not both.
Remember, I'm also all about the process of making sure that only
people who explicitly trust a community trust what that community
does, and I'm also all about the process of ensuring that the people
who run the communities can do what they desire to do. Also remember,
there is NO online community that suffers through an audit to be able
to open its doors. There is NO online community that can guarantee
'security of accounts'. Yet, people join them all the time, while
they don't bother joining CAs. I wonder why this is?
That's only partly true...but I don't see the reason to support
something we don't believe in. Which means, that there are enough CAs
offering this service for free, we don't NEED alternatives. It would be
perhaps a different argument if there weren't any CAs.
Now, if you believe in reasonable security which I'm sure is very
important to you and most members here, we want to know about how those
providers operate. In this particular space of cryptography and online
security it's not a privilege, it's a must. Except if you prefer to
forgo reasonable security at which point I'd rather not support it...
Also, it's not entirely clear where the "community" comes in here. Which
community? Mozilla's?
For Class 1 certificates, there are very few details that would need
to be worked out.
This is up to the CAs to decide, I believe. Perhaps we could work out
something which seems to be reasonable. And CAs would have to decide if
this is acceptable to them or not.
For Class 2 and Class 3 certificates, there are more details that
would need to be worked out, but those are more related to
authentication of credentials before the request is moved to the CA's
processing queue.
I think this is beyond the scope of the current idea.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
