I live in the Baltimore/Washington area and work for the government sales group of IronKey. For more about me and what I'm doing, see the “Personal” section of this site and my blog.

Entries for November 2005

CAs, certificates, and the SSL/TLS UI

In my previous posts I announced adoption of the new Mozilla policy on CA certificates and discussed the CA market and possible roles for CAs. In this post I present some of my personal thoughts about how the SSL/TLS UI used in Firefox and related products might evolve, based on past discussions in the n.p.m.crypto and n.p.m.security newsgroups and conversations I've had at different times with various CAs and browser suppliers. ...

The business of CAs

As I mentioned in my previous post about the new policy on CA certificates, one major issue is to what extent we should distinguish among the different types of certificates issued by different Certification Authorities, both in terms of the policy and also in terms of the SSL/TLS UI used in Firefox and other products. In today's SSL/TLS certificate market CAs sell certificates with different claims as to the "assurance" of the certificate, but Firefox and other browsers have a "one UI fits all" approach, where any SSL/TLS connection to a web site receives the same UI treatment (the infamous padlock) regardless of how and to what extent the CA validates the holder of the site's certificate.

After many years of the status quo there are now forces operating that may change this situation. I think that in order to understand the issues around the SSL/TLS UI we have to look not only at the security-specific issues (e.g., the nature and severity of threats, and the mechanisms by which we might defend against them), but also at the environment in which CAs are likely to be operating, and how their role might evolve over time based on the likely forces of change that are present in that environment. ...

Mozilla CA certificate policy approved

Back in April 2005 I submitted a draft policy document to the Mozilla Foundation regarding how we determine which Certification Authorities (CAs) have root certificates included in Mozilla-based products distributed by the Foundation. Since that time a lot has happened; in particular the Mozilla Foundation reorganized to move its product development and distribution activities into the new Mozilla Corporation, and I took on a part-time position with the "new" Mozilla Foundation as Director of Policy.

Now that I'm a Director of Policy I thought I should go ahead and actually do something policy-related, so I'm now officially announcing the new Mozilla CA Certificate Policy; I'll be formally using this henceforth when dealing with CAs who'd like to get their certificates into Firefox, Thunderbird, etc. (I've already been doing this informally.) ...