Hi there,
>It's time to have some kind of governing body
>to force the browser makers include all accredited
>CA's in the list of automatically trusted CA's.
>Not the ones that pay them big $$$.
Only if they also ensure that the CAs also pass some level of periodic
audit-review to ensure they're worthy of "assumed trustworthiness" by the
millions of unwitting dupes out there ... namely us, the browser users.
Without such an *international* standards mechanism in place (this should
not be another US-controlled thing IMHO), *no* CAs should be installed by
default, after all - if the CA hasn't been validated by some public body as
worthy of issuing certificates of identity (or corporation, or whatever)
then it is only superior to my own cooked up CA by way of its size, PR, and
operational capacity (it can blindly stamp certificates at a greater rate
per hour than I can). Hence, without any such independant review, their CA
cert deserves to be embedded in the browser no more than mine does.
So the question is not so much "who else deserves to have a CA cert
included in the browser", but rather "do the CA certs embedded in the
browser deserve to be there". There's a subtle but salient distinction.
You're certainly right that getting a CA cert embedded in the browsers
through an exchange of funds is highly unethical ... bundling audio-visual
tools, ISP service promotions, etc is a pain, but that's business and you
can understand that - even if it's annoying. However, a browser's handling
of security, and certification in particular, is an issue that begins to
touch on areas of civil-liberties, privacy, trade-secrets, law (eg.
digitial signature legislation, credit-card fraud), and perhaps (for the
first time I have ever found it acceptable to use this phrase) "national
security". On reflection of that, buying a place in the trusted root cert
repository is a highly immoral, unethical, and corrupt process. After all,
for 99.9% of the populus, the embedded CA certs in their browser are
effectively the "arbiters of identity" on the Internet ... a dubious role
for private software companies to just be handing out to the highest bidders.
Just my $0.02 worth ... (which will *not* buy my way into those root cert
stores, but then the current quality of browser security does not provide
too many obstacles to me forcing its way in there anyway). :-)
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
