Firefox and Self-Ä´°õ¤¹¤ëd Certs

¸«²ò¡¿ËÝÌõ¡¿ÈÇ 1.01 - 2010-11-04

(en Fran?ais)

In summer 2008 there was a lot of discussion on the topic of Firefox's ·Ù¹ðs about SSL ¾ÚÌÀ½ñs which are ̵¸ú¤Î or not Ä´°õ¤¹¤ëd by a known Åö¶É ("self-Ä´°õ¤¹¤ëd"). Comment, ¿½¤·¹þ¤à¡¿¿½¤·½Ðing ¤µ¤Þ¤¶¤Þ¤Ê levels of support or Èãɾ, ¡Êµ¡¤Î¡Ë¥«¥à from Lauren Weinstein, Robert Accettura, Slashdot (twice), PC World, Nat Tuck, BetaNews, and Pingdom. I also had a Îà»÷¤Î, ¤ä¤á¤ë heated discussion over dinner at ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë of the ÃÏ¿Þ¡¿·×²è¤¹¤ë 2008. People also seemed ²ø¤·¤²¤Ê of the Æ°µ¡¤Å¤±s behind Firefox's ¾µÇ§ of EV ¾ÚÌÀ½ñs.

This page explains why Firefox's SSL UI was designed the way it was, and why we think it's ¸¢Íø.

°ÂÁ´ = Encryption * Authentication

Before we begin, we must understand that °ÂÁ´ = Encryption * Authentication. World-class encryption * ̵ authentication = ̵ °ÂÁ´. This is an ÀäÂÐ ·èÄêŪ¤Ê point which sadly is not ¤·¤Ã¤«¤êÄϤàd by many ´Ø·¸¼Ôs in the ¿³µÄ. There's no point in encrypting your data with a secret ½ÅÍ×¤Ê if you don't know whose ½ÅÍ×¤Ê it is and who you are sending it to. That is a recipe for a Man in the Middle attack. Lauren Weinstein said:

But in many ¾õ¶·¡¿¾ðÀªs, we're not ´Ø¿´d about ¿È¸µ in particular, we just want to get the basic https: crypto stream up and running.

But there is no such ¾õ¶·¡¿¾ðÀª. If you don't know who you are talking to, then encryption is useless because you could be talking to an ¹¶·â¼Ô. (Self-Ä´°õ¤¹¤ëd certs ¸½¼Â¤Ë do ¶¡µë¤¹¤ë some ways for you to know who you are talking to in a ¸Â¤é¤ì¤¿¡¿Î©·ûŪ¤Ê fashion, and we'll come on to those.) If you don't do anything to check whether you are talking to who you think you are, or if you do the wrong checks, then all the crypto is a waste of time.

Some argue that Äɲ乤ëing encryption, even without authentication, is a ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È-raising ±é½¬ which defends against basic packet Æ÷¤¤¤ò¤«¤°ing. Nat Tuck says:

Snooping a ´Ø·¸ (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication ˸¤²¤ës.

However, that's ´Êñ¤Ë no longer true. The newly-raised ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È is still at the point-and-click level - MITM attacks are that Ê¿°×¤Ê these days. For more ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës of just how Ê¿°×¤Ê, see johnath's blog ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë.

So some authentication is Í׵᤹¤ëd. But how much? Let's look at three use »öÎã¡¿´µ¼Ôs for °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ´Ø·¸s on the web. They are, in ¸º¾¯¡Ê¤¹¤ë¡Ëing order of authentication strength:

1. You want to know what organization you are talking to.
2. You want to know that you are connected to the ¸¢Íø domain »Ø̾¤¹¤ë.
3. You want to know that you can repeatably connect to the same person or place.

1: Strong ÁÈ¿¥¤Î ¿È¸µ

¥·¥Ê¥ê¥ª 1 ŬÍѤ¹¤ës in ¾õ¶·¡¿¾ðÀªs such as banking or e-¾¦¶È. Rather than have to know and remember that http://www.bankofamerica.com/ is Bank of America, È¿¤·¤Æ http://www.bank-of-america.com/ is not, Joe Public would much rather that their web browser said "Bank of America, Inc. (US)" to ½üµî¤¹¤ë all µ¿Ìä. Joe would like to know that someone had ¸½¼Â¤Ë gone away and made sure that only the real Bank of America in the US can get a cert which says that, and if he gets scammed, that someone knows where to send the police.

This is, in a nutshell, the service that EV certs ¶¡µë¤¹¤ë. Now, some have said that this is what the CAs should have been doing all along, and how come they get to ¹ðȯ¡Ê¤¹¤ë¡Ë¡¤¹ðÁʡʤ¹¤ë¡Ë¡¿ÎÁ¶â more money for it now? Even after ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ëing that DV isn't good enough, Robert Accettura still ¡Ê¿ÍÌ¿¤Ê¤É¤ò¡ËÃ¥¤¦¡¤¼çÄ¥¤¹¤ës that:

Essentially EV SSL is nothing more than a ·×²è¡¿±¢ËÅ to ¹ðȯ¡Ê¤¹¤ë¡Ë¡¤¹ðÁʡʤ¹¤ë¡Ë¡¿ÎÁ¶â more. EV SSL is supposed to do what a Ä´°õ¤¹¤ëd ¾ÚÌÀ½ñ should have been doing all along.

That second Àë¹ð¡¤È½·è may be true, although one can argue about who was ÀÕǤ¤¬¤¢¤ë the pre-EV ¾õ¶·¡¿¾ðÀª in the ¾ÚÌÀ½ñ market. For a long time, certs with almost no checking looked the same in browser UI as certs with good checking. So all the incentives were to do ¤¤¤Ã¤½¤¦¾¯¤Ê¤¯ checking. But then, no UI differentiation was possible, because there was no ÆÈΩ¤·¤¿¡¦Ìµ½ê° ´ð½à for what "good checking" meant anyway. There were faults on both Ì£Êý¤¹¤ës.

Prices for ´ð½à domain-validation certs are now as low as ²òÊü¤¹¤ë¡¿¼«Í³¤Ê - and for that money, you get no ¿È¸µ checking at all. EV certs cost EV prices because the CAs ¸½¼Â¤Ë do all the checks defined in this ʸ½ñ (PDF), and are audited to make sure they do. If you think EV doesn't Äɲ乤ë any extra Êݸî, tell us how fraudsters can fool those checks. We helped Îá¾õ this ´ð½à, and we will ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë anything that is broken.

We think that EV ¶¡µë¤¹¤ës us a way to put a human-readable ÁÈ¿¥¤Î identifier in the browser UI with high ¿®ÍÑ¡¿¿®Ç¤ that it's ÄûÀµ¤¹¤ë. There is no other ¸ºß¤¹¤ëing technical way to ÆÀ¤ë this sort of reliable identifier. And we think this is useful in helping people to know the ¿È¸µ of who they are talking to. That's the value EV ¶¡µë¤¹¤ës - authenticated ¿È¸µ.

2. Domain Ω¾Ú

¥·¥Ê¥ê¥ª 2 ŬÍѤ¹¤ës in ¾õ¶·¡¿¾ðÀªs like webmail. Your email ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê is fred@myispmail.com, so you want to know you are at myispmail.com, and you want encryption, but you don't ÆÃ¤Ë need to be told who runs myispmail.com - you know it's MyISP.

One important thing to ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë is that DNS is not °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë - it can be spoofed, as Dan Kaminsky has recently ÏÀ¾Ú¤¹¤ëd. (Dan has some Íø±×¡¿¶½Ì£ing thoughts about the interaction of DNS ·ç´Ùs and ¾ÚÌÀ½ñ ·ç´Ùs. His one line Í×Ìó: "weak authentication leads to pwnage".) DNSSEC is still some way off and, until it arrives, you can't be sure that the IP ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê DNS returns when you look up "myispmail.com" is ÄûÀµ¤¹¤ë. You could be sent anywhere. SSL ¾ÚÌÀ½ñs from a ¿®ÍÑd third party are the only way of ³Î¼Â¤Ë¤¹¤ëing that you are ¸½¼Â¤Ë connected to the ¾ì½ê¡¿°ÌÃÖ you asked for. That is the service you are getting with a DV cert. This does not have to cost you anything. The ¤Ë°ú¤­Â³¤¤¤Æ providers ¶¡µë¡Ê¤¹¤ë¡Ë ²òÊü¤¹¤ë¡¿¼«Í³¤Ê ¾ÚÌÀ½ñs¹:

• StartCom (1 year Í­¸úÀ­¡¤¸úÎÏ)
• Comodo (90 day Í­¸úÀ­¡¤¸úÎÏ)
• Thawte (21-day Í­¸úÀ­¡¤¸úÎÏ)

If Èó¡¤ÉÔ¡¤Ìµ of the above ¹µÁÊ you, year-long all-browser ¾ÚÌÀ½ñs can be had for as little as $14.99 from some vendors.

In an ideal world, ¸ºß sure you are connected to the ÄûÀµ¤¹¤ë ¾ì½ê¡¿°ÌÃÖ would be something the Internet ¶¡µë¤¹¤ëd for ²òÊü¤¹¤ë¡¿¼«Í³¤Ê. DNS was designed in a time when people didn't think malicious people would try to subvert it, and the proper ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë has not yet been ¡Ê·³Ââ¤ò¡ËŸ³«¤¹¤ë¡¤ÇÛÈ÷¤¹¤ëd. Until it is, IMO, the hassle of ÆÀ¤ëing a ²òÊü¤¹¤ë¡¿¼«Í³¤Ê ¾ÚÌÀ½ñ is not an exorbitant price to »Ùʧ¤¦¡¿Ä¶â to ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë the °ÂÁ´ ·ê¤ò³«¤±¤ë.

(Excursus: if domain ½êÍ­¸¢ is ¼Â¾Ú¤¹¤ëd by sending email to a ÀÜ¿¨¤¹¤ë at the domain, then this sort of ¾ÚÌÀ½ñ could be fraudulently ÆÀ¤ëd by an ¹¶·â¼Ô who is able to »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë the CA's DNS or Â羡¤¹¤ëing by Kaminsky-like methods, BGP or Îà»÷¤Î attacks - because they can ·Þ·â¤¹¤ë the email. So in fact, in some ways, the °ÂÁ´ of such certs does depend on the °ÂÁ´ of the DNS. Which is worrying.)

3. ´Ø·¸ Repeatability

¥·¥Ê¥ê¥ª 3 ŬÍѤ¹¤ës when you want to make sure you are connected to the same person you were connected to before.

This is where the »Ù»ý¼Ôs of self-Ä´°õ¤¹¤ëd certs say that they come in. Often, they say: "$14.95 is still too expensive - why can't I self-Ä´°õ¤¹¤ë my cert?" Frank ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ës that this form of the argument is a Èó¡¤ÉÔ¡¤Ìµ-sequitur. The °ÂÁ´ or ¤µ¤â¤Ê¤±¤ì¤Ð of self-Ä´°õ¤¹¤ëd certs is not connected to the cost of CA certs. But we still should ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê the ÌäÂ꡿ȯ¹Ô¤¹¤ë.

We've already ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ëd that if you have ̵ authentication, you have ̵ °ÂÁ´. Self-Ä´°õ¤¹¤ëd certs ¶¡µë¤¹¤ë Èó¡¤ÉÔ¡¤Ìµ-̵ authentication if you do the ¤Ë°ú¤­Â³¤¤¤Æ:

1. ³Îǧ¤¹¤ë the ½ÅÍ×¤Ê »ØÌæ out-of-¶Ø»ß¡Ê¤¹¤ë¡Ëd (i.e. by Èó¡¤ÉÔ¡¤Ìµ-web means) on first connect.
2. Make sure it's always the same thereafter (¥½¥Õ¥È¥¦¥§¥¢ ÉáÄÌ¤Ï does this for you automatically).
3. Re-³Îǧ¤¹¤ë the new »ØÌæ out-of-¶Ø»ß¡Ê¤¹¤ë¡Ëd if the ½ÅÍ×¤Ê changes.

If you do these three things, you get a repeatable °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ´Ø·¸ to whoever it was you ÀÜ¿¨¤¹¤ëd out-of-¶Ø»ß¡Ê¤¹¤ë¡Ëd in step 1).

Leaving aside the fact that many people who use this model for SSH don't bother to do 1) in practice but just say "¾µÇ§¤¹¤ë" and hope, it is our ¼çÄ¥ that no-one has yet come up with a UI that makes this model of crypto (known as ½ÅÍ×¤Ê Ï¢Â³ ´ÉÍý¡¿·Ð±Ä - KCM - or "the SSH model") Íý²ò¤Ç¤­¤ë to Joe Public. You can't ¶¡µë¤¹¤ë him with a string of hex characters and ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ë it to read it over the phone to his bank. What he does instead is just click "¾µÇ§¤¹¤ë", which might ƱÍÍ¤Ë be labelled "Yeah, Whatever", and hopes for the best. The same thing happens when he gets "½ÅÍ×¤Ê changed!" ·Ù¹ðs, even scary ones.

The first important thing to ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë about this model is that ½ÅÍ×¤Ê changes are an ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ëd part of life. No-one does or should use the same ½ÅÍ×¤Ê for ever, and ½ÅÍ×¤Ê ÂŶ¨ or discovered ¾ÚµòÉÔ½½Ê¬ means that ½ÅÍפÊs change. So the »ÈÍÑ¼Ô is going to get a °ìÏ¢¤Î ·ÙÊós over time, some of which ¼¨¤¹ an ¾µÇ§¤¹¤ë ¾ò·ï, and some of which ¼¨¤¹ a dangerous ¾ò·ï. It is our ¼çÄ¥ that no UI can navigate Joe through this Ê£»¨¤µ in a °ÂÁ´¤Ê way.

Usability ¸¦µæ tells us that repeated °ÂÁ´ dialogs and ·Ù¹ðs habituate »ÈÍѼÔs into just clicking "¾µÇ§¤¹¤ë" - it's the "Yeah, Whatever" thing again. If that dialog mostly ¼¨¤¹s a benign ¾ò·ï but occasionally ¼¨¤¹s a serious one, then the problem is ¹½Æâ¡¿²½¹çʪd. This happens no »öÊÁ what the dialog says. UI designers can work on the ¸À¤¤²ó¤· for a year, but whatever it is, it'll ·ë¶É just get ignored.

Secondly, there's no Êݸî against ÂŶ¨d ½ÅÍפÊs. If someone gets »ý¤Ä¡¿¹´Î±¤¹¤ë of your »äŪ¤Ê ½ÅÍפÊ, they can impersonate you at will - and there's nothing you can do about it. The revocation story for SSL ¾ÚÌÀ½ñs has Îò»ËŪ¤Ë also been poor for Æõö and ¶ÈÀÓ¡¿À®²Ì ¿äÏÀ¤¹¤ë¡¿Íýͳs, but that's changing with the advent of OCSP, which is Í׵᤹¤ëd for EV ¾ÚÌÀ½ñs from 2010. ½ÅÍ×¤Ê ÂŶ¨ is not just a theoretical problem - almost all SSL ½ÅÍפÊs À¸À®¤¹¤ëd on Debian systems for the 18 months to May 2008 are Á´¤¯ ÂŶ¨d, ͽÄê to a ·ç´Ù in the ̵ºî°Ù¤Î number ȯÀ¸¤µ¤»¤ë¿Í¡Êʪ¡Ë. ¹¶·â¼Ôs can work out the »äŪ¤Ê ½ÅÍ×¤Ê if they know the public one.

There's also a privacy ÌäÂ꡿ȯ¹Ô¤¹¤ë - the browser has to keep a ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of SSL ¾ì½ê¡¿°ÌÃÖs you've visited and (unless you want yet more cert change ·Ù¹ðs) can't ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹ it when you ¡Êµ¿¤¤¤ò¡ËÀ²¤é¤¹ your history etc.

"¾µÇ§¤¹¤ë," you may say. "This model is not for Joe. But why can't I use it? I understand the ´í¸±s. I Ìó« to ³Îǧ¤¹¤ë my ½ÅÍ×¤Ê »ØÌæs out-of-¶Ø»ß¡Ê¤¹¤ë¡Ëd for every new ´Ø·¸ or ½ÅÍ×¤Ê change. Really. I Ìó«."

The ·èÄêŪ¤Ê problem here, that cannot be ¶¯Ä´¤¹¤ë¡¿¥¹¥È¥ì¥¹d enough, is that while this is a reasonable ´ê˾¡Ê¤¹¤ë¡Ë in a (very small) Áªµó¶è¡¿Í­¸¢¼Ô of geeks like us, we have not ÀßΩ¤¹¤ë a way to make it any easier for geeks to use the KCM model without putting at ´í¸± all the people who only ever use the ´ð½à model. The ¾ÚÌÀ½ñ change ·Ù¹ðs which are a Àµµ¬¤Î¡¿ÀµÁª¼ê part of life in KCM ¼¨¤¹ an attack in normal SSL usage. We don't want to ºÇ¾®¸Â¤Ë¸º¤é¤¹ the ¿¿ÌÌÌܤµ of the ·Ù¹ðs that Êݸ¤ë »ÈÍѼÔs in normal use, or the difficulty of bypassing them.

But what about Intranets? Why should they have to »Ùʧ¤¦¡¿Ä¶â? There are two possible answers. One ²òÅú is to Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ë the company's root in the browser. Everyone can do this manually or the IT department can use the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í Customizability Æ»¶ñ (CCK) to make a custom Firefox.

However, running your own CA has its own hidden costs - and you ÉáÄÌ¤Ï discover them after a ½ÅÍ×¤Ê ÂŶ¨ when you have to update all the ¾ÚÌÀ½ñs at once, and everyone has to learn a lot about crypto really quickly. A simpler ²òÅú is just to get in touch with StartCom, or ͽ»» for a few »Ù½Ðs of $14.95 or whatever, and use the same public CA system everyone else does.

·ëÏÀ

This ÌäÂ꡿ȯ¹Ô¤¹¤ë is not as simple as it appears. We have done a lot of thinking about what's possible and °ÂÁ´¤Ê, and what isn't. Like all that Mozilla does, this is driven by a ´ê˾¡Ê¤¹¤ë¡Ë to Êݸ¤ë our »ÈÍѼÔs, not a ´ê˾¡Ê¤¹¤ë¡Ë to make people »Ùʧ¤¦¡¿Ä¶â for SSL ¾ÚÌÀ½ñs (why would that be a goal?). We are open to suggestions, but think the ¸½ºß¤Î UI ¹¶·â¤¹¤ë¡¤¾×Æͤ¹¤ës the ¸¢Íø balance.

---

ÆÃÊ̼êÅö Section: Slashdot Myths Rebuttal

All of the below are °úÍѤ¹¤ës or ideas from Slashdot comments.

any cert can be ÂŶ¨d within seconds after it is ÌäÂ꡿ȯ¹Ô¤¹¤ëd, [...] therefore, certs ¶¡µë¤¹¤ë NO Êݾڡ¿³Î¿® you're connected to who the URL ¼¨¤¹s you are.

A cert can be ÂŶ¨d "within seconds of ¸ºß ÌäÂ꡿ȯ¹Ô¤¹¤ëd" if e.g. your website has already been Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹d when you Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ë it - in which »öÎã¡¿´µ¼Ô, you have bigger problems. Even taking this rare ²ÄǽÀ­ into account, the second À¼ÌÀ is only true if there is no revocation. In other words, it is true of self-Ä´°õ¤¹¤ëd certs but not of e.g. EV certs.

CAs who ¹ðȯ¡Ê¤¹¤ë¡Ë¡¤¹ðÁʡʤ¹¤ë¡Ë¡¿ÎÁ¶â nothing cannot be À®¤·¿ë¤²¤ëing any ¿È¸µ Êݾڡ¿³Î¿®s at all

Many companies choose to give away particular services for ²òÊü¤¹¤ë¡¿¼«Í³¤Ê, which have a Èó¡¤ÉÔ¡¤Ìµ-̵ cost associated with them, for ¾¦Çä¡¿»Å»ö ¿äÏÀ¤¹¤ë¡¿Íýͳs.

Verisign is a monopoly. The 100 CAs in FF are all monopolies

This is somewhat self-È¿Çý¤¹¤ëing. Depending on how you count, there are over 40 different CAs in the Firefox root Ãߤ¨¤ë¡¿Å¹, of which many are also in the root Ãߤ¨¤ë¡¿Å¹s of the other browsers. They ¶¡µë¤¹¤ë ¾ÚÌÀ½ñs and services at a wide ÈÏ°Ï of price points.

¡Ä¤ËÈ¿ÂФ¹¤ëing self-Ä´°õ¤¹¤ëd certs ¾ÚÌÀ¤¹¤ës you're in ¹¥°Õ of Verisign's monopoly

Verisign doesn't have a monopoly (see above). This argument is a »öÎã¡¿´µ¼Ô of ÆÇ¡ÊÌô¡Ëing the °æ¸Í¡¿ÊÛ¸î»ÎÀÊ.

self-Ä´°õ¤¹¤ëd certs ¶¡µë¤¹¤ë better ¿È¸µ³Îǧ¡¤¿Èʬ¾ÚÌÀ than no SSL certs

A ¸í¤Ã¤¿ sense of °ÂÁ´ is worse than no °ÂÁ´.

certs cost at least USD$100 per year, ¾ÚÌÀ½ñs costs are horrendous

See the main text. In fact, for many people or organizations $100 is an upper ¸Â³¦ because for about that much you can get a wildcard ¾ÚÌÀ½ñ for as many websites in the same domain as you like.

"chained certs" are inferior to those ÌäÂ꡿ȯ¹Ô¤¹¤ëd ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë by a root CA.

Chained certs mean that the CA does not use their embedded root ¾ÚÌÀ½ñ ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë for Ä´°õ, which means they can have it locked up somewhere °ÂÁ´¤Ê and inaccessible. Therefore, certs which are chained are, if anything, safer.

CAs ÏÅϨ Mozilla to put their certs into Firefox

Mozilla does not solicit or ¼õÂ÷¤¹¤ë »Ùʧ¤¤¡Ê³Û¡Ë for ·¹¸þ in the root Ãߤ¨¤ë¡¿Å¹.

No certs ¶¡µë¤¹¤ë any real Êݾڡ¿³Î¿®s at all because anyone can get a cert for any organization »Ø̾¤¹¤ë or any domain »Ø̾¤¹¤ë they wish.

No-one should be able to get a cert a domain »Ø̾¤¹¤ë they don't »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë (unless they self-Ä´°õ¤¹¤ë it). If you have ¾Úµò they can, let's see it. DV certs do not vet the O (Organisation) field, but Firefox does not show that field in the UI for such certs, so that's ¾µÇ§¤¹¤ë.

Verisign is a º¾µ½ because people have Ä´°õ¤¹¤ëd malware with authenticode certs ÌäÂ꡿ȯ¹Ô¤¹¤ëd by Verisign.

¾ÚÌÀ½ñs are about ¿È¸µ, not virtue.

CACert is the only ²òÊü¤¹¤ë¡¿¼«Í³¤Ê CA

See the main text.

CAs do nothing more than run OpenSSL, which you can do for yourself for ²òÊü¤¹¤ë¡¿¼«Í³¤Ê.

Check out the WebTrust ¸¶Â§s and ´ð½à to get some idea of the levels of ÀµÄ¾¤µ and °ÂÁ´ CA systems have to ²ñ¹ç¡¤²ñ¤¦.

---

This article is licensed under CC-BY-SA 3.0 or later.

[1] And what of CAcert? CAcert's unique position has Í׵᤹¤ëd Mozilla to be very Í»Ä̤¹¤ëing ¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of making sure they can fit with our ¼ê³¤­s. They don't yet have the "fair-but-²ñ¼Ò¡¿·ø¤¤" audit that our ɬÍ×ʪ¡¿É¬Í×¾ò·ïs ¼ûÍס¦Í׵᤹¤ë, but their ¿ÊÊâ is here. (¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë that one item on that ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë is "new roots".) We would be very happy to see that ²áÄø ²ò·è¤¹¤ëd as soon as possible, and to have another ²òÊü¤¹¤ë¡¿¼«Í³¤Ê, but audited, ÁªÂò in our root Ãߤ¨¤ë¡¿Å¹.