Everyone,
It has occurred to me that many, many open source software projects use
Mozilla's vetted CA list. None of them, to my knowledge, compensate Mozilla
for its time and fiscal expenditure in vetting that list. (Also, I do not know
if there are any actual contracts that CAs have entered into with Mozilla.)
The CA/B Forum defines "publicly-trusted CA" as "any CA which has contracted with
the developer of software used by the public."
From my understanding of US law, a contract requires "exchange of consideration", "competent
parties," and "clear understanding of the terms and fact of a contract".
The fact that open-source software uses Mozilla's CA list without contracts means that
within those software projects, the CAs included fall outside of the corporate definition
of "publicly-trusted". Nonetheless, these projects do assert public trust in
these certificates. Mozilla's willingness to permit this is both:
1) Inadequate for its own protection, as there is no explicit disclaimer of any
particular warranty of its CA list's fitness for any particular purpose
(especially if included in other software), and
2) Laudable for its own community membership, as it is the source for much PKI
trust that simply could not exist in any other way.
The downside is that every application of this trust list has mirrored Mozilla's historic
"if it's not a verifiably authentic real-world identity it's crap" approach.
This insistence actually reduces the value which vetted CAs bring to the table by more
than one order of magnitude.
Regardless... Mozilla is doing work to vet these CAs that other, non-affiliated
projects derive benefit from. This is important work, and it hasn't really
been widely recognized before.
So,
Thank you, everyone involved -- Frank, Nelson, Kathleen, and the many
volunteers who assist. And thank you, Mozilla.
Without you, we'd be more screwed than we already are.
-Kyle H
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
