[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

Brian Smith bsmith at mozilla.com
Wed Jul 13 20:41:30 EDT 2011


Ian G wrote:
> Well, not financially, more like the policy side is impacted by the
> CAs, which are coordinated in a confidential industry body called
> CABForum. This body communicates internally to Mozilla (being a
> member) and via private comment by CAs to the CA desk.

AFAIK, the CABForum has a very limited influence on Mozilla's CA inclusion policy and all of our CA policy discussions are public:
http://groups.google.com/group/mozilla.dev.security.policy/topics?pli=1

> The chances of them approving or agreeing to EKE are next to nil.

> The problem with Mozilla security
> coding is more this: most (all?) of the programmers who work in that
> area are all employees of the big software providers. And they all
> have a vested interest in working for the status quo, all are opposed
> to any change.

* https://wiki.mozilla.org/Identity/Features/Verified_Email_Service
  https://wiki.mozilla.org/Identity/Verified_Email_Protocol

* https://wiki.mozilla.org/Security/DNSSEC-TLS
  https://bugzilla.mozilla.org/show_bug.cgi?id=589537

* http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg10018.html
  https://bugzilla.mozilla.org/show_bug.cgi?id=532127
  https://bugzilla.mozilla.org/show_bug.cgi?id=405155
  https://bugzilla.mozilla.org/show_bug.cgi?id=356855

* http://www.usenix.org/events/sec11/tech/
  SSL/TLS Certificates: Threat or Menace?
  Moderator: Eric Rescorla, RTFM, Inc.
  Panelists: Adam Langley, Google; 
             Brian Smith, Mozilla; 
             Stephen Schultze, Princeton University;
             Steve Kent, BBN Technologies 

Cheers,
Brian



More information about the cryptography mailing list