<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.q
{mso-style-name:q;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>CAcert Is not in a browser as one particular mega-CA trade
association turned CAcert into a kick ball. They inappropriately used their
influence to set the bar in the major browsers distribution so the very “category
of’ open-source’ trust model” being pursued by CAcert is hindered - and can only
fail to pass the bar. It’s shameful position for Mozilla to take, tho. quite an
understandable decision by the likes of Apple, Opera and Microsoft and the
phone companies (which are businesses).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If I use an all-too-recent American history lesson: folks rig
elections by setting reading standards that certain population groups cannot
pass; they rig the schooling system so can cannot learn to read; they rig the
bus system so one cannot get to school; they rig the food service outlets so
you go hungry if you try; they rig the public toilet policy so you suffer, on
long bus journeys; they ensure there are no hotels for you to say mid trip;
they set the vagrancy laws so folks without hotels are criminalized, etc. End process
is, 100 years later, you still cannot read, and thus vote for folks who have the
power to change any of all that apparatus of oppression.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Eddy Nigg (StartCom Ltd.)
[mailto:eddy_nigg@startcom.org] <br>
<b>Sent:</b> Friday, July 13, 2007 9:43 AM<br>
<b>To:</b> John Wang<br>
<b>Cc:</b> Peter Williams; OpenID - General<br>
<b>Subject:</b> Re: [OpenID] Rule of thumb<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Hi John,<br>
<br>
John Wang wrote: <o:p></o:p></p>
<p class=MsoNormal>On 7/13/07, <b>Eddy Nigg (StartCom Ltd.)</b> <<a
href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>> wrote: <o:p></o:p></p>
<div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<div>
<p class=MsoNormal>Yes, there is something wrong with it and you should ask
yourself, why CAcert isn't in any browser at all....just ask the Mozilla folks
about it...If you need digital certification for low-assurance and encryption
purpose only you can get them for free from StartCom: <a
href="http://cert.startcom.org/" target="_blank">http://cert.startcom.org/</a>
(Class 1, one year valid).<o:p></o:p></p>
</div>
</blockquote>
<div>
<p class=MsoNormal><br>
Thanks for mentioning StartCom, Eddy. I haven't looked at TLS/SSL certs in a
while, this is new and welcome to me. <o:p></o:p></p>
</div>
</div>
<p class=MsoNormal>I thought that to be already common knowledge ;-)<br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal>As for why CAcert isn't a browser, I figured there was an
artificial linkage between encryption and trust in TLS/SSL that doesn't need to
be there, except that's how the technology and user acceptance matured. I'm not
sure whether the issue is more that CAcert is doing something wrong or that
TLS/SSL matured differently than it could have. A hypothetical question is
whether it's wrong to have the browser pre-trust any CA for their users? <o:p></o:p></p>
</div>
</div>
<p class=MsoNormal>Most browsers have very similar conditions for shipping a
certain CA root in their software by default. You might have a look at <a
href="http://www.mozilla.org/projects/security/certs/policy/">http://www.mozilla.org/projects/security/certs/policy/</a>
in order to understand what they are (very reasonable and not too difficult to
understand). Now CAcert, as a community driven web-of-trust scheme
"CA", can't meet the basic requirements. In that respect a user
should judge carefully if he wants to trust a certain CA - which isn't something
everyone browsing the Internet can really understand without an investment in
time and certain knowledge. But CAs built into the browser (and other software)
meet the requirements put forward by the software vendor. Most likely that for
most users, these checks and conditions put forward by the software vendor are
sufficient!<br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
I haven't looked into Mozilla's specific reasons for excluding CAcert but
assuming the reason can be generalized, if there is something wrong with
CAcert, then could the same reasoning be used for many IDPs? <o:p></o:p></p>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'>Yes, I think so! This is one of
the things I suggested many times already, so I don't think that IDPs have to
meet the same requirements as for CAs. But certainly the relying party (in the
OpenID world the web site operators of Forums, Blogs etc.) needs to be sure,
that the IDPs he wants to trust conform to a minimal standard and basic
requirements (of operation). David from Verisign suggested, that
"some" third party organizations will perform these services (as for
example Webtrust does for CAs), however I'd certainly prefer that to be
something which would come from the OpenID community itself. Or in other words,
I think some of us should come together and found/operate this service. This
perhaps would allow most sincere IDP operators to perform and provide their
service as OpenID providers, only shutting out the ones which would be used for
spam and other fraudulent use.<o:p></o:p></p>
<div>
<p class=MsoNormal>-- <o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Regards</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Signer:
Eddy Nigg, StartCom Ltd.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Jabber:
<a href="mailto:startcom@startcom.org">startcom@startcom.org</a></span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Phone:
+1.213.341.0390</span><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>