I'd just like to offer my opinion, that while *commercial* software's dependence on commercial Certificate Signing Authorities seems appropriate to me, Open Source software, such as (any of) the projects of The Mozilla Organization, should *not* be depending solely on commercial entities to verify the integrity of it's security model. As others have pointed out, access to the primary benefit of SSL encryption and security, which is *trust*, should not be restricted to only those who have paid a fee for it. The mere existence of a commercial transaction between someone and Thawte or Verisign or Network Solutions (--oh, wait.. those are all the same company!) does not, or at least *should* not, in and of itself provide the public any greater assurance that their systems are secure, that internet transactions with them are safe, or that their identities are legitimate, anymore than one's trust in the "authority" of the organization signing the certificate would lead one to have in the first place. It has been argued that a browser should not ship with *any* installed root certificates, in order to force the user to realize that they must take the responsibility to install trust certificates themselves, so that their software is configured only to trust those whom they themselves have *chosen* to trust, and whom they've chosen trust to vouch for the authenticity of others. That is, after all, the entire point of certificate signing, as Phil Zimmerman wrote in the original PGP documentation that introduced the world to public key cryptography, [available from ftp://ftp.pgpi.org/pub/pgp/2.x/doc/pgpdoc1.txt] "You should use a public key only after you are sure that it is a good public key that has not been tampered with, and actually belongs to the person it claims to. You can be sure of this if you got this public key certificate directly from its owner, or if it bears the signature of someone else that you trust". For a software projects to install these "trust keys" at all is presumptive at best, and at worst, itself a technical breach, a security hole. But this is the situation that today has become the de facto standard for browser software. Mozilla would be criticized as insecure or incomplete if it did not include the root certificates that are widely used today in the industry to verify the identity of web sites and the privacy and integrity of visitors' encrypted communications with those sites. But to limit Mozilla users, by default, to trusting only those same commercial Certificate Authorities that Microsoft Internet Explorer trusts does a disservice to Mozilla users, by lending credibility to the idea that these companies are the only trustworthy guardians of safe, secure internet communications. Especially in light of the level of trust that some of these companies who are in "the business of trust" have earned with the public so far, the need for a reliable, trustworthy, not-for-profit Certificate Authority like CACert.org has been sorely felt by those of us who understand that by installing a root certificate in our browsers (and email clients, web and mail servers) we're delegate the very critical responsibility for deciding who we trust, to the signer of those certificates. A non-commercial entity like CACert.org is and has been needed for some time, in my opinion, and I for one would be quite relieved to see a group that I really do trust, such as The Mozilla Organization, take the all-important first step in dispelling this myth (that the commercial software and service companies would like the public to believe) that SSL certificates are only as "trustworthy" as the price one pays for them, or that big corporations are the only places I can feel safe placing my trust. Mozilla and other open large, quality open source software projects are already shattering similar myths about the relationship between *good* software and commercially developed software, and it would be great to have Mozilla blaze the trail toward the creation of a network of Truly Trust-worthy Certificate Signing authorities, whose missions are clear and transparently, actually honest trust and integrity, rather than merely a shroud of apparent trust cloaking the true purpose of pure profit. By installing the CACert.org root certificate in the most popular and successful open source alternatives to commercial browsers, the Mozilla Organization has an opportunity to provide an alternative to paid-for trust, to endorse grass-roots trusts networks, and to make a conscientious statement to it's users. Such a very responsible reminder to the browsing public at large, that no SSL certificate should *ever* be trusted any more than the user trusts the *signer* of the certificate, I feel is needed sooner rather than later. More and more mass-market consumers have already come to depend on their internet access software to conduct their daily financial tasks via the internet, and thus to protect their sensitive personal communications from whatever technical threats may exist to the privacy and security of their internet use. They look to Mozilla to set the standards, to provide and to recommend the best practices that are in the best interest of the user, as opposed to those of the organization developing the software. Even non- technical users already understand that open source projects like Mozilla define quality. Therefore I believe Mozilla owes it to users to advise and educate them to any alternatives that exist to placing their privacy in the hands of any one organization, To the extent that commercial software companies ship their products configured to only trust the services of commercial "Trust Providers", users are led to assume that true security, truly reliable encryption, and true identity are technically only *possible* using the commercial software and service providers involved. Such assumptions are disproven by the mere fact that users are using Mozilla! They (in our opinion, rightly) trust Open Source software more than commercially developed software, and The Mozilla Organization owes it to it's users to lead the way by demonstrating that their Open Source software does not equate true security, reliable encryption, and trust itself, with the purchase of a signature from one of the "trust provider" corporations whose sole purposes for existence begin and end with increasing shareholder value. Organizations that exist for the one purpose of profit do not have any interest in providing technically sound encryption software, or trustworthy certificate signing services, beyond that which is profitable to them, which means that it *is* in their financial interest to discourage, discredit and foster fear uncertainty and doubt upon any non-commercial organization such as CACert.org whose expressly stated mission *is* solely to provide technically sound and truly trustworthy certificate signing service to everyone, even to those (I dare say, especially to those) who cannot afford to, or will not choose to purchase trust from them. Individuals, entrepreneurs, small businesses, unincorporated nonprofit organizations are all perfect examples of entities who just as likely to *need*, and to many, *more* likely to deserve, but yet far less likely to be able to afford, say, a wildcard certificate from a trusted certificate signing authority to secure the membership, donations or payment pages of their web sites. Is it right that, just because a person or group is unable or unwilling to pay an annual fee to a certain corporation, visitors to their web sites, the sites of these less-profitable entities, are made to feel less trusting, or outright suspicious of the integrity of their security systems, because they could afford "true trust" of a Verisign certificate, even though they use very same open source Apache, Mozilla, OpenSSL and other free software systems that Amazon relies on for security? Like the phenomenon of open source itself, the concept of non-profit CA's (or Open Certificate Authorities) has an obvious spirit of fairness, an intuitive sense of correctness, the potential to provide a *far* higher quality service to far more of the public and the world's population in general, and at far lower cost than existing commercial alternatives, and therefore the power to severely disrupt existing commercial industries. So what, then, is The Mozilla Organization waiting for? -dave -- David Kaufman