1 |
On Tue, Jan 1, 2013 at 9:49 PM, Michael Mol <mikemol@×××××.com> wrote: |
2 |
> On Tue, Jan 1, 2013 at 9:37 PM, Benjamin Peterson <benjamin@××××××.org> wrote: |
3 |
>> Michael Mol <mikemol <at> gmail.com> writes: |
4 |
>>> On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc <at> gentoo.org> wrote: |
5 |
>>> > Speaking of which, say what you will about Mozilla's broken criteria |
6 |
>>> > for root inclusion, but Mozilla has no commercial interests, |
7 |
>>> |
8 |
>>> Wait, what? How does taking income during a process not constitute a |
9 |
>>> commercial interest? |
10 |
>> |
11 |
>> There seems to be some confusion about Mozilla's cert inclusion process. Mozilla |
12 |
>> does not make any money by including CA certificates. Per its own policy [1], |
13 |
>> "We will not charge any fees to have a CA's certificate(s) distributed with our |
14 |
>> software products." |
15 |
>> |
16 |
>> [1] https://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html |
17 |
> |
18 |
> Fair enough. I took Rich's email as an indication they did. |
19 |
|
20 |
To be trusted by Mozilla you do indeed need to pay substantial sums of |
21 |
money (in almost all cases), but you don't actually pay them to |
22 |
Mozilla. Typically you pay them to an auditor who specializes in such |
23 |
things, such as webtrust. The fact that they don't even publish their |
24 |
fees tells you all you need to know - I've heard they are in the |
25 |
neighborhood of $10k. |
26 |
|
27 |
My concern is that the approach chosen by Mozilla (and most other |
28 |
software distributions produced by large corporations) is mostly about |
29 |
having lots of paperwork and audting, and is not about actual |
30 |
security. If a certificate authority has a pile of paperwork saying |
31 |
they operate one way, it won't stop them from issuing certificates to |
32 |
the NSA or whoever if they get a national security letter, or the |
33 |
equivalent in one of the 400 other jurisdictions that these companies |
34 |
reside in (many of which make the Patriot Act seem quite tame). |
35 |
|
36 |
And that is just considering cases where the CA cooperates with legal |
37 |
authorities. Factor in incompetence and just about anything can |
38 |
happen. Incompetence happens in industries that have heavy government |
39 |
scrutiny, such as in pharmaceuticals and aircraft maintenance. |
40 |
Certificate authorities are almost completely unregulated in |
41 |
comparison. |
42 |
|
43 |
Basically the whole system is one big CYA maneuver. DNSSEC is far |
44 |
more promising as a certificate distribution system, and the legacy |
45 |
SSL system really is just standing in the way. |
46 |
|
47 |
Rich |