Ubuntu
evolution package

Bug #232340
Comment #82

Comment 82 for bug 232340

Revision history for this message

In Mozilla Bugzilla #215243, Duane-cacert (duane-cacert) wrote on 2005-01-02:

#82

(In reply to comment #81)
> As I understand it CAcert doesn't meet the WebTrust criteria (please correct me
> if I'm wrong here) which is what MF is going to use to judge CAcert. Don't get

We have the potential to get funding for Webtrust certified, BUT the biggest
problem people see with it is the ongoing yearly fee, and it's seen as a waste
of money for little/no benefit (although we're curious about how many CAs get
webtrust certified and then don't bother renewing after that and how many are
revoked by MF or MS)

> me wrong, I don't think WebTrust CA's are more secure than CAcert but that's
> MF's position on it, or at least they don't want to be seen as making a
> judgement on their own. I just think it's better to get the CAcert root cert
> distributed, turned off by default, than not distributed at all. CAcert is a
> new model and the MF may need some time to get used to it. If the policy is
> finalized as-is and CAcert doesn't meet WebTrust criteria, it would be time to
> lobby for a lesser standard for MF to distribute certs not turned on.

Frank has already stated publically Webtrust or equivilent and we're putting a
lot of focus on what it would take to pass an audit similar to webtrust

> have a look at comment #66 from Kjetil Kjernsmo.

Again, I don't see the point, all the phishing scams I know of have used browser
exploits or social engineering techniques, they haven't used SSL (Although I do
recall someone posting about a scam that did, 1 out of 50,000,000,000 isn't very
good odds that they will occur.)

Futher more if I was so inclined to do a phishing scam there are numerous CAs
out there that will issue 1 and 2 year certs with only needing proof of domain
ownership, which isn't likely to prove anything more then you can abuse credit
cards and the CA system.

Apparently quite a bit of the spyware these days is code signed, and the
majority of spammers have a better working Sender ID etc then most normal email
admins, so the things that are marketed as being able to prevent these things
generally don't live up to expectation.

(In reply to comment #81)
> As I understand it CAcert doesn't meet the WebTrust criteria (please correct me
> if I'm wrong here) which is what MF is going to use to judge CAcert.  Don't get

> me wrong, I don't think WebTrust CA's are more secure than CAcert but that's
> MF's position on it, or at least they don't want to be seen as making a
> judgement on their own.  I just think it's better to get the CAcert root cert
> distributed, turned off by default, than not distributed at all.  CAcert is a
> new model and the MF may need some time to get used to it.  If the policy is
> finalized as-is and CAcert doesn't meet WebTrust criteria, it would be time to
> lobby for a lesser standard for MF to distribute certs not turned on.

Frank has already stated publically Webtrust or equivilent and we're putting a
lot of focus on what it would take to pass an audit similar to webtrust

> have a look at comment #66 from Kjetil Kjernsmo.

Ubuntuevolution package

Comment 82 for bug 232340

Ubuntu
evolution package