Google Groups Home
Help | Sign in
netscape.public.mozilla.crypto
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion Low assurance SSL CAs
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Frank Hecker  
View profile  
 More options Feb 15 2005, 1:43 pm
Newsgroups: netscape.public.mozilla.crypto
From: Frank Hecker <hec...@hecker.org>
Date: Tue, 15 Feb 2005 13:43:14 -0500
Local: Tues, Feb 15 2005 1:43 pm
Subject: Re: Low assurance SSL CAs
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author

Nelson Bolyard wrote:
> I think we (er, MF) *could*, if MF was willing to require, in its CA cert
> policy, that CAs for SSL and Code Signing must use a specified minimum
> level of authentication in the issuance of those certs.  But presently,
> it seems the policy is willing to give any WebTrust-attested CA whatever
> trust bits they request.  So, at the moment, no, I cannot say it is still
> the case.

For the record, I would be willing to consider revising the draft CA
certificate policy to incorporate requirements on minimum assurance
levels for particular purposes. However...

1. I'd like more information on whether you and others want this simply
as a "good thing", or whether we have real evidence that this will
address a real problem, based on past evidence and future plausibility.
If this is mainly just a "good thing" then while I might agree that it's
a "good thing" as well, I don't necessarily want to enshrine it in
policy, at least right now.

2. I need proposed language for a future policy draft, and a consensus
behind that language; this by implication also means consensus on what
the minimum requirements should be for each type. If there is no such
consensus then I will postpone this issue to a future version of the policy.

3. I would like to see some investigative work done to determine how
this policy would affect "incumbent" CAs (i.e., CAs already in the list
prior to my taking on approving new ones) and "newly-approved" CAs
(i.e., CAs I've approved myself). Since part of the policy involves the
possibility of going back and re-considering CAs already on the list,
I'd like to know how this proposed change is going to affect things.
(For example, will we have to face a decision on kicking out a lot of
CAs, or at least restricting the "trust bits" we set for them?)

4. I would like clarity on how existing Mozilla/Firefox/Thunderbird/etc.
implementations may interact with such a policy. (For example, I think
you previously alluded to Mozilla implicity trusting JavaScript in some
context if it were downloaded from an SSL-enabled site.) I am reluctant
to implement a policy if the code itself negates its intent.

Frank

--
Frank Hecker
hec...@hecker.org


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google