On 7/2/05, Andrew Suffield <[EMAIL PROTECTED]> wrote: > On Thu, Jun 30, 2005 at 09:43:04PM +0100, Gervase Markham wrote: > > These are two very different cases, though. If a local admin installs a > > new root cert, that's cool - they are taking responsibility for the > > security of those users, and they have extreme BOFH power over them > > anyway. However, having the root appear by default, so that no-one at > > the remote site really knows it's there (who consults the root list) and > > it's now on Y thousand or million desktops - that is a different kettle > > of fish. > > You've missed the really interesting, really important case. > > What about the site admin team for X thousand desktops who produce a > modified firefox package to be used across the whole company? This is > the normal, expected usage of Debian.
Happily, trademark law is perfectly indifferent to this case; when the modified package is not advertised, marketed, sold, or otherwise used in commerce under the trademark, there is no case for trademark infringement (AIUI, IANAL). A trademark license can of course be conditioned on the licensee's agreement to arbitrary constraints, since (like a copyright license) it is an offer of contract; but the offer on the table from the Mozilla Foundation more nearly resembles a unilateral grant, articulating a "safety zone" within which no license as such is required, and places no onus on Debian to ensure that recipients of the Debian package don't further re-work it. > > A quick reminder of what's at risk here: if the private key of a root > > cert trusted by Firefox became compromised, _any_ SSL transaction that > > any user trusting that cert performed could be silently MITMed and > > eavesdropped on. > > Let's be serious here. You've already got the verisign certificates, > and you've got a helpful dialog box that appears whenever new > certificates are presented to the browser such that the user can just > whack 'ok' without reading it. SSL security on the internet at large > is a myth. Anybody who trusts it is insane; the risks aren't very > significant. Information security in general is a myth, but like many myths it has utility in some contexts. If you feel some degree of responsibility for ensuring the good conduct of someone else, then it's wise to make good conduct convenient for them and bad conduct as inconvenient, risky, and easy to detect as possible. Site admins who care can make it quite inconvenient for the user to "whack 'ok'" when there is no chain of trust to a root cert, and can back this up with logging to make it easy to detect and a site policy to make it risky. Selecting root certs carefully can make it relatively convenient for a legitimate site to establish a chain of trust and relatively inconvenient to undermine that trust. None of this is anything resembling foolproof -- or rather clever, determined, non-risk-averse, expendable attacker-proof. But it's sophomoric to claim that ease of circumvention by an unsupervised user would justify a cavalier attitude to root cert security on the part of the Mozilla Foundation. Cheers, - Michael
