mon journal - par Vincent - Certificate fun and how Mozilla can help - Comments

Certificate fun and how Mozilla can help - bluebirch

bluebirch — Sun, 24 Aug 2008 14:04:34 +0000

I think certificates need a larger structural change rather than yet another CA.I have written a blog post[1] about it and would welcome your comments. The part that would solve the problem of the security tax is making certificates hierarchical/recursive.

[1] blauebirke.wordpress.com/...

Certificate fun and how Mozilla can help - Benoit

Benoit — Thu, 07 Aug 2008 19:06:29 +0000

Since you talk about the RMLL, I assume the people complaining were speaking French. In that case, you can refer them to our translation[1] of the excellent "Firefox 3: Site Identification button" article[2] from Deb Richardson, which explains what Mozilla is doing from the user point of view.

[1] www.geckozone.org/article...
[2] www.dria.org/wordpress/ar...

Certificate fun and how Mozilla can help - Some Guy

Some Guy — Thu, 07 Aug 2008 06:42:10 +0000

Companies should focus on their core mission. Branching out into areas only tangentially related risks diverting attention from the things that matter more to them, and the side-projects inevitably end up as under-resourced baggage.

Also, see blog.johnath.com/2008/08/... "Several CAs accepted by all major browsers sell certificates for less than $20/yr, and StartSSL, in the Firefox 3 root store, offers them for free."

Certificate fun and how Mozilla can help - Vincent

Vincent — Wed, 06 Aug 2008 23:27:19 +0000

Chris: thanks for your reply.

To reply to the first point: I'm not saying the policy is bad. And having read a few bug reports about getting new root certificates included, I absolutely agree that Gerv & Frank are doing a good job.

And indeed, it's not a costless "business" (I wouldn't call this business if Mozilla were to do it). It's also not something Mozilla would do just for the fun of it, and it clearly needs some thoughts. But I do believe that Mozilla being a certificate authority and offering this service to the free software community (or to more people, although it would be a bigger and more difficult step) would really be a good thing. And it would fit well Mozilla's mission, at least that's my opinion :-)

Certificate fun and how Mozilla can help - Vincent

Vincent — Wed, 06 Aug 2008 23:15:09 +0000

Anonymous: I don't think I buy the "if it evers screws up" argument. You don't have to call it Mozilla Certificate Authority. It could be a separate entity too, if we want. I mean, that shouldn't block us from doing things. Never heard of StartCom before -- it could indeed help.

Certificate fun and how Mozilla can help - Christopher Blizzard

Christopher Blizzard — Wed, 06 Aug 2008 20:44:27 +0000

First of all I would say that Mozilla's cert policy is there for a good reason although those reasons aren't well laid out in the policy itself. CACert hasn't gone through the same process that every other cert that we include has gone through and they should if they want to be included. Gerv and Frank are both very fair people and represent the process well. If there's something fundamentally wrong with the policy I trust them to be able to work through that and apply some changes if they are required.

Second - and I will choose my words very carefully here because I believe they will be easy to misinterpret - the fact that we believe that security is fundamental does not necessarily mean that every single step of that process also has to be free of cost for everyone in the chain. I don't mean that we build cost into the process on purpose (although it's relatively complex so there are likely to be costs) but having CA certs that are free-of-cost hasn't been one of our goals to date.

Mozilla running a cert is also not free of cost, it just shifts the cost to us instead of someone else. It's not clear to me if that would be one of our goals or not. But it's worth thinking about, to be sure.

Certificate fun and how Mozilla can help - Anonymous

Anonymous — Wed, 06 Aug 2008 20:31:24 +0000

By the way, while CACert hasn't become accepted quite yet, a free certificate provider *does* exist: StartCom.

Certificate fun and how Mozilla can help - Anonymous

Anonymous — Wed, 06 Aug 2008 20:30:50 +0000

Nice idea, but difficult in practice. Becoming a CA involves lots of liability, and that liability shouldn't get associated with the Mozilla name. If the hypothetical "Mozilla Certificate Authority" ever screwed up, and its name gets associated with some well-publicized scam, that loss of trust will extend to other things under the Mozilla name, such as Firefox.

Certificate fun and how Mozilla can help - Kalle Vahlman

Kalle Vahlman — Wed, 06 Aug 2008 19:55:11 +0000

Touché!

That has got to be the most clever suggestion anyone can bring to this debate :)

I hope Mozilla Fundation* is hearing and considering it, since the current situation is worse than not having certificates at all!

Vincent, it doesn't matter if you lost the deathmatch, you still rock! ;)

(*yes, it was intentional)

Certificate fun and how Mozilla can help - Tester

Tester — Wed, 06 Aug 2008 19:09:10 +0000

It would be good if not only open source organisations/projects could use it, but also individuals. Producing SSL certs costs almost nothing, I think Mozilla would be in a great position to provide this service to the world. It would probably make the commercial certs provider lower their prices too...