A cert for a new CA, conveniently named CACert, is being proposed for addition to Mozilla, the big open source group pushing out a successful browser.
As CACert is not a commercial organisation, and doesn't sell its certs for any sort of real money, this has sparked quite a debate.
Mozilla Foundation has held firm to its non-commercial roots so far, by announcing and publishing a draft policy and faq that espouses no-cost CA Cert addition, and fairly perfunctory checks.
The groundswell for reworking browser approach to the crypto security layer is growing. In 2003, I pressed the debate forward with a series of rants attacking the SSL/HTTPS (in)security design.
I suggest the way is now open for cryptographers to adopt economic cryptography, rather than the no-risk cryptography approach used and since discredited in SSL.
In the specific case of SSL/HTTPS, we recommend moving to:
Copying the successful economic cryptography model of SSH would definitely lift the ugly duckling SSL crypto system up out of the doldrums (1st in above rants page, "How effective is open source crypto?" discusses the woeful statistics for SSL certificate usage).
Posted by iang at February 10, 2004 09:37 PM | TrackBackTo enter the debate, subscribe to the mozilla-crypto mailing list at mozilla-crypto@mozilla.org through this page: http://mail.mozilla.org/listinfo/mozilla-crypto or, enter this news group: netscape.public.mozilla.crypto
Posted by: Ian Grigg at February 12, 2004 08:48 AM