Wednesday 6 August 2008
Certificate fun and how Mozilla can help
Yay! Certificates are the latest hot topic. I had a discussion about this with a few people back at the RMLL because lots of users there were complaining about it. I have no strong opinion on this myself, but it strikes me that Mozilla could help here.
The worst problem is self-signed certificates, which are especially common in our free software world. People have commented that using CAcert should help, but as long as the CAcert root certificates are not installed by default with your browser, this won't help much. And it seems this is not going to happen (well, at least for Firefox) because of Mozilla's CA certificate policy. I guess other browsers have a similar policy, and the policy itself probably makes some sense.
So what can Mozilla do? Let's look at the Mozilla Manifesto (which seems to be offline at the moment -- but you can look at the archived version). The fourth principle is related to this issue and reads as
Individuals' security on the Internet is fundamental and cannot be treated as optional.. And then in the Mozilla Foundation pledge, you can read
use the Mozilla assets (intellectual property such as copyrights and trademarks, infrastructure, funds, and reputation) to keep the Internet an open platform. Can you see where I'm heading?
I believe the Mozilla Foundation could use some of its assets to be a certificate authority that operates in a compitable way with its own CA certificate policy. It would offer this service to non-commercial entities that respects some criteria. I'm not going to put a list of potential criteria here, but I guess many free software projects would qualify and would benefit of this. This would fix what Chris highlights in his post, ie, the fact that it affects the free software community more than others. And it would also help improve the user experience web, which is one of Mozilla's missions.