November 18, 2005

After 10 years, a new policy on adding CAs

Frank announces the new Mozo policy for CAs.

This is a significant piece of news in an otherwise moribund field - there hasn't been anything happening in the CA business since Verisign bought Thwarte. In brief here's the story: since the dawn of SSL time, all browsers have more or less inherited a list of favoured buddies created by Netscape. When Mozilla started to ship significant numbers of browsers, they started to get calls for new CAs to be added.

Looking around, it was discovered there were no rules, other than "must be WebTrust Audited!" Well, that fell by the wayside when it was pointed out that Mofo was supposed to be working in the open source world and WebTrust audits start at $50k. Not to mention serious irregularities in the WebTrust process itself, and evolving security failures of the overall browser system...

Policy guru Frank Hecker burnt many candles to craft a compromise between the reds and the blues. Bitter debate ensued, but the end result is OK, although it does kind of highlight that Mofo (or is it Mozo?) is a meta CA and and has not or cannot escape some responsibility for the CAs that are added.

To cap it off, rumour has it that Microsoft has also started a policy review, no doubt following the quite serious discussion on the n.p.m.crypto lists over this major issue. Last I heard, Konqueror, Opera and Safari were expecting to follow Mozo on this policy, so this may result in a minor shakeup.

(Some minor disclosure - I have been helping the CAcert people with their policy ...)

Posted by iang at November 18, 2005 03:30 PM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.