At 4:53 PM +0100 5/30/07, Gervase Markham wrote:
>Gervase Markham wrote:
>> My proposal is that we accept such CAs, but use this technical
>> capability to restrict them to signing certificates for domains under
>> the appropriate TLD.
>
>Having considered the discussion, it looks like this idea
Gervase Markham wrote:
> My proposal is that we accept such CAs, but use this technical
> capability to restrict them to signing certificates for domains under
> the appropriate TLD.
Having considered the discussion, it looks like this idea is not going
to fly. Instead, we will do what Frank su
David E. Ross wrote:
> Your last sentence is exactly my point. It would be very difficult to
> create an objective policy that allows some governments to certify CAs
> but not allow others. This is true without regard for the issue of
> secret certifications.
An objective policy would be "all go
Paul Hoffman wrote:
> [] what if the government of China insisted that Mozilla not allow
> VeriSign to certify for names in .cn? Don't laugh, they at one point
> demanded that VeriSign not allow IDN domain names in Chinese in .com.
I certainly won't laugh, because Mozilla is doing just that
Gervase Markham wrote:
> My proposal is that we accept such CAs, but use this technical
> capability to restrict them to signing certificates for domains under
> the appropriate TLD. The logic is that citizens of those countries have
> to trust their government anyway, but that citizens of other
Hi David,
David E. Ross wrote:
> Not only should Mozilla not accept classified audits. We should also
> put that into the formal policy.
I think this is already covered by the Mozilla CA policy under section 6:
/provide attestation of their conformance to the stated verification
requirements
Gervase Markham wrote:
> David E. Ross wrote:
>> Face it: some governments are corrupt. Others are not corrupt in the
>> sense of officials taking bribes and acting on their self-interests, but
>> they act in ways that western democracies might find offensive. In
>> this latter group are nations
Paul Hoffman wrote:
> I thought the topic of this tread was:
>
>> There are currently two CAs who have applied for inclusion in the NSS
>> store but their audits were done by their respective governments and are
>> classified, and/or they are directly controlled by those governments.
>
> If it
David E. Ross wrote:
> Face it: some governments are corrupt. Others are not corrupt in the
> sense of officials taking bribes and acting on their self-interests, but
> they act in ways that western democracies might find offensive. In
> this latter group are nations that practice or at least all
Kyle Hamilton wrote:
> If this is the case, then why is CAcert still being stonewalled?
They aren't being stonewalled. They've withdrawn their application.
Gerv
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org
Paul Hoffman wrote:
> I stopped reading here. That is completely untrue for the majority of
> the CAs in the Mozilla trust root pile.
I would quibble with "majority". You might get away with "the majority
of SSL server certs issued for use on the public internet are issued by
CAs that don't...
Paul Hoffman wrote:
> At 10:10 AM +0100 5/28/07, Gervase Markham wrote:
>> Paul Hoffman wrote:
>>> Exactly. I strongly suspect that KISA would do a better job at checking
>>> identification of a Korean company in .com than the CAs in the lowest
>>> quartile of capabilities whom we fully trust to
On 5/28/07, Paul Hoffman <[EMAIL PROTECTED]> wrote:
> I stopped reading here. That is completely untrue for the majority of
> the CAs in the Mozilla trust root pile. The majority of CAs issue
> certificates based on a challenge-response mechanism that verifies
> the existence of a domain name and/o
At 10:26 PM +0300 5/27/07, Eddy Nigg (StartCom Ltd.) wrote:
>I just want to add a thought or two after following this thread from
>the sidelines...
>
>Paul Hoffman wrote:
>
>>>
>>>I don't know if I like the idea of saying that a commercial
>>>organization has more authority to identify for global
At 10:18 AM +0100 5/28/07, Gervase Markham wrote:
>Paul Hoffman wrote:
>> The current thread is about a proposal that says, in essence, "we are
>> willing to accept a secret audit of a trust anchor that we cannot see
>> from a national government security agency, but if we accept that, the
>> t
At 10:10 AM +0100 5/28/07, Gervase Markham wrote:
>Paul Hoffman wrote:
>> Exactly. I strongly suspect that KISA would do a better job at checking
>> identification of a Korean company in .com than the CAs in the lowest
>> quartile of capabilities whom we fully trust to do so.
>
>But do we fix th
Gervase Markham wrote:
> Paul Hoffman wrote:
>> The current thread is about a proposal that says, in essence, "we are
>> willing to accept a secret audit of a trust anchor that we cannot see
>> from a national government security agency, but if we accept that, the
>> trust anchor can only bind i
Benjamin Smedberg wrote:
> I prefer to think of this in terms of limiting expoure: the Korean
> government should have the ability to define our trust of the .ko domain,
> but not our trust of non-.ko domains.
That's a good way to put it.
Gerv
___
dev-t
Paul Hoffman wrote:
> The current thread is about a proposal that says, in essence, "we are
> willing to accept a secret audit of a trust anchor that we cannot see
> from a national government security agency, but if we accept that, the
> trust anchor can only bind identities that contain a doma
Paul Hoffman wrote:
> Exactly. I strongly suspect that KISA would do a better job at checking
> identification of a Korean company in .com than the CAs in the lowest
> quartile of capabilities whom we fully trust to do so.
But do we fix that problem by allowing the Korean government-audited CA
I just want to add a thought or two after following this thread from the
sidelines...
Paul Hoffman wrote:
>> I don't know if I like the idea of saying that a commercial
>> organization has more authority to identify for global commerce than
>> any individual government, though.
>>
>
> Exactl
At 10:25 AM -0700 5/27/07, Kyle Hamilton wrote:
>On 5/26/07, Benjamin Smedberg <[EMAIL PROTECTED]> wrote:
>> I prefer to think of this in terms of limiting expoure: the Korean
>> government should have the ability to define our trust of the .ko domain,
>> but not our trust of non-.ko domains.
>
On 5/26/07, Benjamin Smedberg <[EMAIL PROTECTED]> wrote:
> I prefer to think of this in terms of limiting expoure: the Korean
> government should have the ability to define our trust of the .ko domain,
> but not our trust of non-.ko domains.
i.e., the Korean government has the absolute authority o
Paul Hoffman wrote:
> - Without seeing the audit, we have no idea whether the security used by
> the agency would pass muster for the identities being bound. This means
> that the standards we hold VeriSign to for certificates whose identities
> are in .kr different than the standards we hold KISA
At 12:47 PM -0700 5/26/07, Kyle Hamilton wrote:
>On May 26, 2007, at 11:06 AM, Paul Hoffman wrote:
>
>>If we adopt that model, they can. But, again, that's not what this
>>thread was about. It was about Mozilla unilaterally constraining the
>>names without asking the user based on a feature of the
On May 26, 2007, at 11:06 AM, Paul Hoffman wrote:
> If we adopt that model, they can. But, again, that's not what this
> thread was about. It was about Mozilla unilaterally constraining the
> names without asking the user based on a feature of the audit.
...versus an "all-or-nothing" trust? The
At 9:09 PM -0700 5/25/07, Nelson Bolyard wrote:
>Paul Hoffman wrote:
> > My feeling is that we would be better off not making this leap of
>> limitation. Either someone is allowed to certify in all domain names, or
>> in none.
>
>Paul, that argument sounds to me like you're saying that constrain
Nelson Bolyard wrote:
> Robert Sayre wrote:
>> Nelson Bolyard wrote:
>>> In effect, all the root CA certs are subordinate to the user himself.
>> I can't accept this assertion, but I admit I am unable to articulate the
>> reason. Maybe it's that users have never, ever cared about "root CA certs"?
>
Nelson Bolyard wrote:
>
> Now, there's simply no way that we can deny that those users are in control
> of the CAs they trust. The collected trust information stored by NSS for
> them is their trust anchor (in my view).
>
I think it's possible that you've overstated the prominence of these
use
Robert Sayre wrote:
> Nelson Bolyard wrote:
>>
>> In effect, all the root CA certs are subordinate to the user himself.
>
> I can't accept this assertion, but I admit I am unable to articulate the
> reason. Maybe it's that users have never, ever cared about "root CA certs"?
But it has always been
Nelson Bolyard wrote:
>
> In effect, all the root CA certs are subordinate to the user himself.
I can't accept this assertion, but I admit I am unable to articulate the
reason. Maybe it's that users have never, ever cared about "root CA certs"?
- Rob
Paul Hoffman wrote:
> At 6:06 PM +0100 5/24/07, Gervase Markham wrote:
>> Paul Hoffman wrote:
>> > That makes the assumption that all domains from those countries are in
>>> the countries' TLDs; that is a bad assumption.
>>
>> You mean that these CAs will not be able to sign certificates for some
Paul Hoffman wrote:
>
> My feeling is that we would be better off not making this leap of
> limitation. Either someone is allowed to certify in all domain names, or
> in none.
...
>
> The easiest way to avoid such problems is to not get into the business
> of subsetting which domains a CA is
At 6:06 PM +0100 5/24/07, Gervase Markham wrote:
>Paul Hoffman wrote:
> > That makes the assumption that all domains from those countries are in
>> the countries' TLDs; that is a bad assumption.
>
>You mean that these CAs will not be able to sign certificates for some
>sites that they might want
Frank Hecker wrote:
> So the question is, if a government CA provided a statement roughly
> equivalent to the (public) WebTrust report, would that be sufficient for
> us? I think the answer is arguably yes, provided that we have the same
> general level of confidence in the organization doing th
Paul Hoffman wrote:
> That makes the assumption that all domains from those countries are in
> the countries' TLDs; that is a bad assumption.
You mean that these CAs will not be able to sign certificates for some
sites that they might want to (e.g. www.myfrenchsite.com)? Yes, but
that's just t
David E. Ross wrote:
> I believe that trust should require public disclosure.
Citizens of France have no choice but to "trust" their government, to a
certain extent. In that the government can exercise jurisdiction over
them. Is the proposed certificate arrangement not just a reflection of
real
Paul Hoffman wrote:
> I propose that we simply do not allow classified audits. Those two CAs
> can get additional, non-classified audits if they want to be in the root
> store.
> If FubarSign came to us with a "classified" audit from a commercial
> auditor, would we even consider it?
>
> Why s
At 2:39 PM +0100 5/24/07, Gervase Markham wrote:
>There are currently two CAs who have applied for inclusion in the NSS
>store but their audits were done by their respective governments and are
>classified, and/or they are directly controlled by those governments.
>
>They are:
>
>KISA (South Korea,
Gervase Markham wrote:
> There are currently two CAs who have applied for inclusion in the NSS
> store but their audits were done by their respective governments and are
> classified, and/or they are directly controlled by those governments.
>
> They are:
>
> KISA (South Korea, .kr)
> https://b
There are currently two CAs who have applied for inclusion in the NSS
store but their audits were done by their respective governments and are
classified, and/or they are directly controlled by those governments.
They are:
KISA (South Korea, .kr)
https://bugzilla.mozilla.org/show_bug.cgi?id=335
41 matches
Mail list logo
