Ubuntu
evolution package

  1. Bug #232340
  2. Comment #115

Comment 115 for bug 232340

Revision history for this message
In , Jgzimmerle (jgzimmerle) wrote :

(In reply to comment #29)
> PKI is about TRUST. All root CAs that are trusted for (say) SSL service
> are trusted EQUALLY for that service. If we let a single CA into mozilla's
> list of trusted CAs, and they do something that betrays the publics' trust,
> then there is a VERY REAL RISH that the public will lose ALL FAITH in the
> "security" (the lock icon) in mozilla and its derivatives.

I agree, but I think the lock icon is the wrong approach anyway, because it only allows for two states: A site is either trusted or not. I think a scale would be more apropriate, because it would allow for different trust-levels, ranging from encryption-only (for self-signed certificates) to high-level-authenticated (for organisations like banks). Mozilla could then add CAcert root certificates to the clients and assign the maximum possible trust level that CAcert-certified sites can get.

Also to get top trust-levels it could be a requirement that the site's public key must be signed by several CAs.