The strange tale of a CA and Mozilla…

A very interesting Mozilla discussion thread + bug was pointed out to me the other day.  Basically, the guys/girls over at WISeKey are attempting to get their root CA included in Mozilla's built-in trusted CA list.  Here is the link to the bug that was filed: Link.

The bug was originally submitted on 02-23-2007.  If you read through the bug and the associated discussion you can basically see the handlers going back and forth with WISeKey about some items.  Basically, the handlers are attempting to ensure that WISeKey's ducks are in a row for the submission, gathering any additional needed information, and shoring up any assurance and mutual trust concerns.

This is all very normal stuff considering that WISeKey not only does managed PKI, but also allows customers to chain off of their trusted roots.  Hence... if you read through the discussion there are concerns about how WISeKey ensures their customers comply with stated assurance practices and most importantly prevents them from doing bad things with their newly minted publicly trusted CAs.

Anyhow, this back and forth goes on for about a year, at some point WISeKey provides enough information, quells the assurance questions, and "purchases" the WebTrust seal so that on 01-18-2008 the handler approves the submission and opens up a period of public discussion for this request.  Please note, the comment about the public discussion: "The normal comment period is two weeks, unless issues are brought forth that warrant further discussion."

Well, this is when the story gets strange.  From here on, some more discussion ensues on the bug and if you drop over to the public discussion things really get interesting: Link.  Reading through the thread, it starts out with more questions about the assurance guarantees of WISeKey's customers.  Then, very quickly... the discussion devolves to include topics such as:

  • Questioning effectiveness of name constraints
  • Whether or not the business models of commercial CAs is valid
  • Whether or not Mozilla should be responsible for ensuring the validity of trusted certificates.
  • At one point, someone points out Thawte had violated their CPS.
  • Etc.

Then on 02-15-2008, the discussion suddenly stops with the bug still open.

My Soapbox

First off, why the heck hasn't the handlers moved forward with approving WISeKey's request?  Or, at least, the handlers should have rejected it, requested more information, or something.  Letting someone sit in limbo is not very nice.  Secondly, this scenario... and the associated discussion painfully points out something I have said for a very long time now.  Err... there are some problems with PKI.  This whole business of establishing mutual trust, building the list of pre-approved trusted CA, figuring out how someone else's idea of assurance matches your idea of assurance, and so on, is a freak'en pain in the butt.  Not to mention... little things like these:

  • WebTrust
  • Gatekeeper Public Key Infrastructure (PKI) Framework
  • European Directive for Electronic Signatures
  • All the other freak'en digital signature acts that have been passed by numerous countries and U.S. states...
  • Oh and hey don't forget Japan's GPKI
  • Etc.

The list can and would just go on and on... In fact, one might say it's out of control.  Isn't it time for a central body to sit down, hammer out the final way of doing things, and ensure there is a common way for doing this?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey 2021: The results are in