February 06, 2005

Mozilla nears formal policy on new CAs

Mozilla Foundation is running a project to develop a policy for adding new Certificate Authorities to FireFox, Thunderbird and the like. This is so that more organisations can sign off on more certificates, so more sites can use SSL and you can be more secure in browsing. Frank Hecker, leading the project, has announced his "near ready" draft, intimating it will be slapped in front of the board any day now.

It transpires that this whole area is a bit of a mess, with browser manufacturers having inherited a legacy root list from Netscape, and modified it through a series of ad hoc methods that suit no-one. Microsoft - being the 363kg gorilla on the block - hands the whole lot over to a thing called WebTrust, which is a cartel of accountancy firms that audit CAs and charge for the privilege. Perfectly reasonable, and perfectly expensive; it's no wonder there are so few SSL sites in existence.

Netscape, the original and much missed by some, tried charging the CA to get added to its browser, but frankly that wasn't the answer. The whole practice of offering signed certificates is fraught with legal difficulties, and while the system wasn't under any form of attack, this lack of focus brought up all sorts of crazy notions like trying to make money in this business. Now, with phishing running rampant and certs sadly misdirected against some other enemy, getting out of selling CA additions is a Good Thing (tm). Ask your class action attorney if you are unsure on this point.

Which confusion and absence of founding in security and rationality Mozilla Foundation recognised, to their credit. The draft policy has evolved into a balanced process requiring an external review of the CA's operating practices. That review could be a WebTrust, some technical equivalent, or an independent review by an agreed expert third party.

Now in progress for a year, MF has added dozens of new CAs, and is proceeding on a path to add smaller non-commercial CAs like CACert, This is one of a bevy of non-"classical" CAs that use the power of the net to create their relationships network. This is the great white hope for browsing - the chance of unleashing the power of SSL to the small business and small community operators.

To get there from where they were was quite an achievement and other browser manufacturers would do well to follow suit. Crypto wasn't ever mean to be as difficult as the browser makes it. Go Mozilla!

Posted by iang at February 6, 2005 03:41 PM | TrackBack


It seems to be that the SSL function is potentially useful but the CA nonsense is a disaster. The disaster is the result of trying to make it all transparent to the user and place ultimate trust in an "authority".

Now it may well be that most users cannot be expected to mess around with certs and stuff. But couldn't the browser have a simple button which the user could poke when he is viewing an https page that he thinks is legitimate. And then thereafter the browser would accept that cert as the valid one for that site (or whatever) and warn the user if it is not present.

Every user his own certificate authority! Given all the pitfalls of this wouldn't it be an improvement?



Posted by: CCS at February 6, 2005 06:19 PM

I wish! That's a button we'd all love. The problem is there is a widespread belief that the user does not know their own sites and they cannot be permitted to be part of the security decision. This derives from the resistance to popup warnings full of technospeak that they've quite rightly rejected over the years.

Posted by: Iang at February 6, 2005 06:22 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.