| 1 |
On Tue, Jan 1, 2013 at 9:49 PM, Michael Mol <mikemol@×××××.com> wrote: |
| 2 |
> On Tue, Jan 1, 2013 at 9:37 PM, Benjamin Peterson <benjamin@××××××.org> wrote: |
| 3 |
>> Michael Mol <mikemol <at> gmail.com> writes: |
| 4 |
>>> On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <djc <at> gentoo.org> wrote: |
| 5 |
>>> > Speaking of which, say what you will about Mozilla's broken criteria |
| 6 |
>>> > for root inclusion, but Mozilla has no commercial interests, |
| 7 |
>>> |
| 8 |
>>> Wait, what? How does taking income during a process not constitute a |
| 9 |
>>> commercial interest? |
| 10 |
>> |
| 11 |
>> There seems to be some confusion about Mozilla's cert inclusion process. Mozilla |
| 12 |
>> does not make any money by including CA certificates. Per its own policy [1], |
| 13 |
>> "We will not charge any fees to have a CA's certificate(s) distributed with our |
| 14 |
>> software products." |
| 15 |
>> |
| 16 |
>> [1] https://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html |
| 17 |
> |
| 18 |
> Fair enough. I took Rich's email as an indication they did. |
| 19 |
|
| 20 |
To be trusted by Mozilla you do indeed need to pay substantial sums of |
| 21 |
money (in almost all cases), but you don't actually pay them to |
| 22 |
Mozilla. Typically you pay them to an auditor who specializes in such |
| 23 |
things, such as webtrust. The fact that they don't even publish their |
| 24 |
fees tells you all you need to know - I've heard they are in the |
| 25 |
neighborhood of $10k. |
| 26 |
|
| 27 |
My concern is that the approach chosen by Mozilla (and most other |
| 28 |
software distributions produced by large corporations) is mostly about |
| 29 |
having lots of paperwork and audting, and is not about actual |
| 30 |
security. If a certificate authority has a pile of paperwork saying |
| 31 |
they operate one way, it won't stop them from issuing certificates to |
| 32 |
the NSA or whoever if they get a national security letter, or the |
| 33 |
equivalent in one of the 400 other jurisdictions that these companies |
| 34 |
reside in (many of which make the Patriot Act seem quite tame). |
| 35 |
|
| 36 |
And that is just considering cases where the CA cooperates with legal |
| 37 |
authorities. Factor in incompetence and just about anything can |
| 38 |
happen. Incompetence happens in industries that have heavy government |
| 39 |
scrutiny, such as in pharmaceuticals and aircraft maintenance. |
| 40 |
Certificate authorities are almost completely unregulated in |
| 41 |
comparison. |
| 42 |
|
| 43 |
Basically the whole system is one big CYA maneuver. DNSSEC is far |
| 44 |
more promising as a certificate distribution system, and the legacy |
| 45 |
SSL system really is just standing in the way. |
| 46 |
|
| 47 |
Rich |
Archives