Comment 36 for bug 28048

Revision history for this message
In , Nelson-bolyard (nelson-bolyard) wrote :

Frank I agree with nearly all your points in comment 35. I would add that

* if the mozilla foundation gets into the position of establishing its own
selction criteria, and become its own filter of acceptable CAs, then it
may be liable for its choices. (I am not a lawyer, and don't pretend to be)
OTOH, if it instead relies entirely on the attestation of another body
(be it AICPA or someone else), then potentially the liability issues transfer
to that other body. That's part of the reason why I proposed that mozilla
rely on AICPA. If I had known of others trying to do the same thing, I might
have included them in that recommendation too.

* about the brittle/meltdown issue, and referring to the links in Duane's
comment 30 above, I think part of the reason those articles were written
was to deflate the public's expectations of web security somewhat, to try
to avoid a "significant lessening in user trust in the whole PKI setup
around SSL-enabled web servers" (quoting Frank).

Much of the public still mistakenly thinks that the lock icon implies that
the party who runs the server whose page you're viewing is trustworthy.
Of course, it doesn't mean that and never has.

* Regarding the notion to "divide efforts between an initial selection process
and a post-selection process for dealing with CA-related problems", I would
say this. Browsers last a long time. There are still people running C4.x.
Most browser users NEVER even DISCOVER the "Certificate Manager" by which
they can add or remove CA certs from their browser. The browser lives with
its initial set of CAs for its entire lifetime in their profiles. It's
relatively easy to add CAs, and almost impossible to get the public to take
out a CA that has been deemed a rogue after the fact. In short, I think it's
not practically feasible right now to ever "revoke" a root CA cert that's
out in the field in mozilla executables. So, I think mozilla should continue
to put a high effort up front.

OTOH, The idea of an Uber-CA keeps coming up. Someone might offer a CA-like
service with a server that will answer in real time (ala OCSP) the question of
whether a certain root CA is still trustworthy. If the service was offered
and available, mozilla could surely be made to act as a client for it.

I invite all to discuss this further in the public newsgroup
news://news.mozilla.org:119/netscape.public.mozilla.crypto

I can't think of a more ON-TOPIC discussion for that group that this one,
and news.mozilla.org is MUCH better prepared to handle hundreds of discussion
participants than bugzilla.mozilla.org is. (I'm referring to the 320+ member
CC list this bug has now!) Please join me in that group!

I'll start by posting there a list of issues I'd want to see a CA address to
earn my trust (as an end user).