[fc-discuss] Financial Cryptography Update: After 10 years, a new policy on adding CAs

iang@iang.org iang@iang.org
Fri, 18 Nov 2005 20:32:50 +0000 (GMT) 

 Financial Cryptography Update: After 10 years, a new policy on adding CAs 

                           November 18, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000598.html



------------------------------------------------------------------------

Frank announces the new Mozo policy for CAs.

http://www.hecker.org/mozilla/cert-policy-approved

This is a significant piece of news in an otherwise moribund field -
there hasn't been anything happening in the CA business since Verisign
bought Thwarte.  In brief here's the story:  since the dawn of SSL
time, all browsers have more or less inherited a list of favoured
buddies created by Netscape.  When Mozilla started to ship significant
numbers of browsers, they started to get calls for new CAs to be added.

Looking around, it was discovered there were no rules, other than "must
be WebTrust Audited!"  Well, that fell by the wayside when it was
pointed out that Mofo was supposed to be working in the open source
world and WebTrust audits start at $50k.  Not to mention serious
irregularities in the WebTrust process itself, and evolving security
failures of the overall browser system...

Policy guru Frank Hecker burnt many candles to craft a compromise
between the reds and the blues.  Bitter debate ensued, but the end
result is OK, although it does kind of highlight that Mofo (or is it
Mozo?) is a meta CA and and has not or cannot escape some
responsibility for the CAs that are added.

http://www.hecker.org/mozilla/ca-certificate-policy

To cap it off, rumour has it that Microsoft has also started a policy
review, no doubt following the quite serious discussion on the
n.p.m.crypto lists over this major issue.  Last I heard, Konqueror,
Opera and Safari were expecting to follow Mozo on this policy, so this
may result in a minor shakeup.

(Some minor disclosure - I have been helping the CAcert people with
their policy ...)

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/