Ubuntu
firefox package

Bug #72415
Comment #12

Comment 12 for bug 72415

Revision history for this message

In Mozilla Bugzilla #215243, David-gigawatt (david-gigawatt) wrote on 2003-11-16:

#12

I'd just like to offer my opinion, that while *commercial* software's
dependence on commercial Certificate Signing Authorities seems appropriate to
me, Open Source software, such as (any of) the projects of The Mozilla
Organization, should *not* be depending solely on commercial entities to verify
the integrity of it's security model.

As others have pointed out, access to the primary benefit of SSL encryption and
security, which is *trust*, should not be restricted to only those who have
paid a fee for it. The mere existence of a commercial transaction between
someone and Thawte or Verisign or Network Solutions (--oh, wait.. those are all
the same company!) does not, or at least *should* not, in and of itself provide
the public any greater assurance that their systems are secure, that internet
transactions with them are safe, or that their identities are legitimate,
anymore than one's trust in the "authority" of the organization signing the
certificate would lead one to have in the first place.

It has been argued that a browser should not ship with *any* installed root
certificates, in order to force the user to realize that they must take the
responsibility to install trust certificates themselves, so that their software
is configured only to trust those whom they themselves have *chosen* to trust,
and whom they've chosen trust to vouch for the authenticity of others. That
is, after all, the entire point of certificate signing, as Phil Zimmerman wrote
in the original PGP documentation that introduced the world to public key
cryptography, [available from
ftp://ftp.pgpi.org/pub/pgp/2.x/doc/pgpdoc1.txt] "You should use a public key
only after you are sure that it is a good public key that has not been tampered
with, and actually belongs to the person it claims to. You can be sure of this
if you got this public key certificate directly from its owner, or if it bears
the signature of someone else that you trust". For a software projects to
install these "trust keys" at all is presumptive at best, and at worst, itself
a technical breach, a security hole. But this is the situation that today has
become the de facto standard for browser software. Mozilla would be criticized
as insecure or incomplete if it did not include the root certificates that are
widely used today in the industry to verify the identity of web sites and the
privacy and integrity of visitors' encrypted communications with those sites.
But to limit Mozilla users, by default, to trusting only those same commercial
Certificate Authorities that Microsoft Internet Explorer trusts does a
disservice to Mozilla users, by lending credibility to the idea that these
companies are the only trustworthy guardians of safe, secure internet
communications.

Especially in light of the level of trust that some of these companies who are
in "the business of trust" have earned with the public so far, the need for a
reliable, trustworthy, not-for-profit Certificate Authority like CACert.org has
been sorely felt by those of us who understand that by installing a root
certificate in our browsers (and email clients, web and mail servers) we're
delegate the very critical responsibility for deciding who we trust, to the
signer of those certificates.

A non-commercial entity like CACert.org is and has been needed for some time,
in my opinion, and I for one would be quite relieved to see a group that I
really do trust, such as The Mozilla Organization, take the all-important first
step in dispelling this myth (that the commercial software and service
companies would like the public to believe) that SSL certificates are only
as "trustworthy" as the price one pays for them, or that big corporations are
the only places I can feel safe placing my trust. Mozilla and other open
large, quality open source software projects are already shattering similar
myths about the relationship between *good* software and commercially developed
software, and it would be great to have Mozilla blaze the trail toward the
creation of a network of Truly Trust-worthy Certificate Signing authorities,
whose missions are clear and transparently, actually honest trust and
integrity, rather than merely a shroud of apparent trust cloaking the true
purpose of pure profit.

By installing the CACert.org root certificate in the most popular and
successful open source alternatives to commercial browsers, the Mozilla
Organization has an opportunity to provide an alternative to paid-for trust, to
endorse grass-roots trusts networks, and to make a conscientious statement to
it's users. Such a very responsible reminder to the browsing public at large,
that no SSL certificate should *ever* be trusted any more than the user trusts
the *signer* of the certificate, I feel is needed sooner rather than later.
More and more mass-market consumers have already come to depend on their
internet access software to conduct their daily financial tasks via the
internet, and thus to protect their sensitive personal communications from
whatever technical threats may exist to the privacy and security of their
internet use. They look to Mozilla to set the standards, to provide and to
recommend the best practices that are in the best interest of the user, as
opposed to those of the organization developing the software. Even non-
technical users already understand that open source projects like Mozilla
define quality. Therefore I believe Mozilla owes it to users to advise and
educate them to any alternatives that exist to placing their privacy in the
hands of any one organization,

To the extent that commercial software companies ship their products configured
to only trust the services of commercial "Trust Providers", users are led to
assume that true security, truly reliable encryption, and true identity are
technically only *possible* using the commercial software and service providers
involved. Such assumptions are disproven by the mere fact that users are using
Mozilla!

They (in our opinion, rightly) trust Open Source software more than
commercially developed software, and The Mozilla Organization owes it to it's
users to lead the way by demonstrating that their Open Source software does not
equate true security, reliable encryption, and trust itself, with the purchase
of a signature from one of the "trust provider" corporations whose sole
purposes for existence begin and end with increasing shareholder value.

Organizations that exist for the one purpose of profit do not have any interest
in providing technically sound encryption software, or trustworthy certificate
signing services, beyond that which is profitable to them, which means that it
*is* in their financial interest to discourage, discredit and foster fear
uncertainty and doubt upon any non-commercial organization such as CACert.org
whose expressly stated mission *is* solely to provide technically sound and
truly trustworthy certificate signing service to everyone, even to those (I
dare say, especially to those) who cannot afford to, or will not choose to
purchase trust from them.

Individuals, entrepreneurs, small businesses, unincorporated nonprofit
organizations are all perfect examples of entities who just as likely to
*need*, and to many, *more* likely to deserve, but yet far less likely to be
able to afford, say, a wildcard certificate from a trusted certificate signing
authority to secure the membership, donations or payment pages of their web
sites.

Is it right that, just because a person or group is unable or unwilling to pay
an annual fee to a certain corporation, visitors to their web sites, the sites
of these less-profitable entities, are made to feel less trusting, or outright
suspicious of the integrity of their security systems, because they could
afford "true trust" of a Verisign certificate, even though they use very same
open source Apache, Mozilla, OpenSSL and other free software systems that
Amazon relies on for security?

Like the phenomenon of open source itself, the concept of non-profit CA's (or
Open Certificate Authorities) has an obvious spirit of fairness, an intuitive
sense of correctness, the potential to provide a *far* higher quality service
to far more of the public and the world's population in general, and at far
lower cost than existing commercial alternatives, and therefore the power to
severely disrupt existing commercial industries.

So what, then, is The Mozilla Organization waiting for?

-dave

--
David Kaufman <email address hidden>

www.Gigawatt.com / Power Data Development \ www.ClickSQL.com
Hosting Scriptage Databasics

www.Power-Data.com
87 East 21st Street, Bayonne, NJ 07002
(201) 436-0668

I'd just like to offer my opinion, that while *commercial* software's 
dependence on commercial Certificate Signing Authorities seems appropriate to 
me, Open Source software, such as (any of) the projects of The Mozilla 
Organization, should *not* be depending solely on commercial entities to verify 
the integrity of it's security model.

As others have pointed out, access to the primary benefit of SSL encryption and 
security, which is *trust*, should not be restricted to only those who have 
paid a fee for it.  The mere existence of a commercial transaction between 
someone and Thawte or Verisign or Network Solutions (--oh, wait.. those are all 
the same company!) does not, or at least *should* not, in and of itself provide 
the public any greater assurance that their systems are secure, that internet 
transactions with them are safe, or that their identities are legitimate, 
anymore than one's trust in the "authority" of the organization signing the 
certificate would lead one to have in the first place.

It has been argued that a browser should not ship with *any* installed root 
certificates, in order to force the user to realize that they must take the 
responsibility to install trust certificates themselves, so that their software 
is configured only to trust those whom they themselves have *chosen* to trust, 
and whom they've chosen trust to vouch for the authenticity of others.  That 
is, after all, the entire point of certificate signing, as Phil Zimmerman wrote 
in the original PGP documentation that introduced the world to public key 
cryptography, [available from 
ftp://ftp.pgpi.org/pub/pgp/2.x/doc/pgpdoc1.txt] "You should use a public key 
only after you are sure that it is a good public key that has not been tampered 
with, and actually belongs to the person it claims to.  You can be sure of this 
if you got this public key certificate directly from its owner, or if it bears 
the signature of someone else that you trust".  For a software projects to 
install these "trust keys" at all is presumptive at best, and at worst, itself 
a technical breach, a security hole.  But this is the situation that today has 
become the de facto standard for browser software.  Mozilla would be criticized 
as insecure or incomplete if it did not include the root certificates that are 
widely used today in the industry to verify the identity of web sites and the 
privacy and integrity of visitors' encrypted communications with those sites.  
But to limit Mozilla users, by default, to trusting only those same commercial 
Certificate Authorities that Microsoft Internet Explorer trusts does a 
disservice to Mozilla users, by lending credibility to the idea that these 
companies are the only trustworthy guardians of safe, secure internet 
communications.

Especially in light of the level of trust that some of these companies who are 
in "the business of trust" have earned with the public so far, the need for a 
reliable, trustworthy, not-for-profit Certificate Authority like CACert.org has 
been sorely felt by those of us who understand that by installing a root 
certificate in our browsers (and email clients, web and mail servers) we're 
delegate the very critical responsibility for deciding who we trust, to the 
signer of those certificates.

A non-commercial entity like CACert.org is and has been needed for some time, 
in my opinion, and I for one would be quite relieved to see a group that I 
really do trust, such as The Mozilla Organization, take the all-important first 
step in dispelling this myth (that the commercial software and service 
companies would like the public to believe) that SSL certificates are only 
as "trustworthy" as the price one pays for them, or that big corporations are 
the only places I can feel safe placing my trust.  Mozilla and other open 
large, quality open source software projects are already shattering similar 
myths about the relationship between *good* software and commercially developed 
software, and it would be great to have Mozilla blaze the trail toward the 
creation of a network of Truly Trust-worthy Certificate Signing authorities, 
whose missions are clear and transparently, actually honest trust and 
integrity, rather than merely a shroud of apparent trust cloaking the true 
purpose of pure profit.

By installing the CACert.org root certificate in the most popular and 
successful open source alternatives to commercial browsers, the Mozilla 
Organization has an opportunity to provide an alternative to paid-for trust, to 
endorse grass-roots trusts networks, and to make a conscientious statement to 
it's users.  Such a very responsible reminder to the browsing public at large, 
that no SSL certificate should *ever* be trusted any more than the user trusts 
the *signer* of the certificate, I feel is needed sooner rather than later.  
More and more mass-market consumers have already come to depend on their 
internet access software to conduct their daily financial tasks via the 
internet, and thus to protect their sensitive personal communications from 
whatever technical threats may exist to the privacy and security of their 
internet use.  They look to Mozilla to set the standards, to provide and to 
recommend the best practices that are in the best interest of the user, as 
opposed to those of the organization developing the software.  Even non-
technical users already understand that open source projects like Mozilla 
define quality.  Therefore I believe Mozilla owes it to users to advise and 
educate them to any alternatives that exist to placing their privacy in the 
hands of any one organization,

To the extent that commercial software companies ship their products configured 
to only trust the services of commercial "Trust Providers", users are led to 
assume that true security, truly reliable encryption, and true identity are 
technically only *possible* using the commercial software and service providers 
involved.  Such assumptions are disproven by the mere fact that users are using 
Mozilla!

They (in our opinion, rightly) trust Open Source software more than 
commercially developed software, and The Mozilla Organization owes it to it's 
users to lead the way by demonstrating that their Open Source software does not 
equate true security, reliable encryption, and trust itself, with the purchase 
of a signature from one of the "trust provider" corporations whose sole 
purposes for existence begin and end with increasing shareholder value.

Organizations that exist for the one purpose of profit do not have any interest 
in providing technically sound encryption software, or trustworthy certificate 
signing services, beyond that which is profitable to them, which means that it 
*is* in their financial interest to discourage, discredit and foster fear 
uncertainty and doubt upon any non-commercial organization such as CACert.org 
whose expressly stated mission *is* solely to provide technically sound and 
truly trustworthy certificate signing service to everyone, even to those (I 
dare say, especially to those) who cannot afford to, or will not choose to 
purchase trust from them.

Individuals, entrepreneurs, small businesses, unincorporated nonprofit 
organizations are all perfect examples of entities who just as likely to 
*need*, and to many, *more* likely to deserve, but yet far less likely to be 
able to afford, say, a wildcard certificate from a trusted certificate signing 
authority to secure the membership, donations or payment pages of their web 
sites.

Is it right that, just because a person or group is unable or unwilling to pay 
an annual fee to a certain corporation, visitors to their web sites, the sites 
of these less-profitable entities, are made to feel less trusting, or outright 
suspicious of the integrity of their security systems, because they could 
afford "true trust" of a Verisign certificate, even though they use very same 
open source Apache, Mozilla, OpenSSL and other free software systems that 
Amazon relies on for security?

Like the phenomenon of open source itself, the concept of non-profit CA's (or 
Open Certificate Authorities) has an obvious spirit of fairness, an intuitive 
sense of correctness, the potential to provide a *far* higher quality service 
to far more of the public and the world's population in general, and at far 
lower cost than existing commercial alternatives, and therefore the power to 
severely disrupt existing commercial industries.

So what, then, is The Mozilla Organization waiting for?

-dave

-- 
David Kaufman <david@power-data.com>

www.Gigawatt.com / Power Data Development \ www.ClickSQL.com
         Hosting         Scriptage          Databasics

www.Power-Data.com
87 East 21st Street, Bayonne, NJ  07002
(201) 436-0668

Ubuntufirefox package

Comment 12 for bug 72415

Ubuntu
firefox package