Mozilla against Debian?

There were many articles during the last few weeks concerning the Firefox issue on Debian and it seems, that many are getting it completely wrong. So even too much was said already on this subject, I decided to write this article and hope – at last – to have the right things put on the tables. The issue at hand is of course the much debated request from Mozilla to the Debian developers to refrain from using the Firefox trademark, as long as they change the source code.

Why? It’s not only because of the Firefox logo non-free, but because Firefox stands for a certain standard, policy and quality. Let me explain this and give you a very good reason, why Debians version of Firefox can’t be called Firefox. One of the reasons I see is, that the Debian developers do some really stupid things and add insecure stuff to the code…..Yes, you heard right!

Debian adds CA certificates of “certification authorities”, which were never audited or comply to expected industry standards and behaviors, to the trusted certificates store of Firefox (This according to a claim made by one of these CA’s, which includes a screen shot)! Now, Mozilla invests quite some time, effort and resources into this issue, to make sure, that certification authorities live up to their promises. Mozilla developed clear guidelines and a CA policy, which defines, which conditions must be met for certification authorities, in order to be shipped as a trusted CA within Firefox. Mozilla in return is to a certain extend responsible for this and has to comply to its own policy….

And here comes Debian, changes the rules and therefore can’t mark it as Firefox! They can call it whatever they like, but it’s not the brand of Firefox anymore, specially by doing such stupid things! Mozilla can’t take responsibility of these changes made by Debian and therefore had to request to either change this dangerous behavior by Debian and refrain from adding untrusted CA’s to their certificate store or change the brand name and logo. Needless to say, that Debian endangers its own users by doing this, but that’s perhaps their beer…

Note: I’m not affiliated with Mozilla in any way nor do I have any information from Mozilla concerning this issue. Since I work at a certification authority, I’m aware of this behavior by Debian and it was my own reasoning and conclusion on this subject.

Sxipping In, User Centric Identity and its Relationship to a CA

Sxip, OpenID, CardSpace(formerly InfoCard) and i-names are user centric models of identity.

I find the whole idea about this extremely interesting, but there are some things to consider.

Privacy… am I going to give this site my real info?

Authority… how are sites to know that I am providing my real info, or do they care?

These user centric models of data mean that the user can create their own persona to carry around from site to site, in some cases I may want absolute anonymity, say if I am Chinese and trying to blog, in other cases I may want 100% certainty that I am who I say I am. These user centric models mean that I can claim anything I like, and that is fine for anonymous access, so I am more concerned with providing reasonable certainty that I am who I say I am.
Let’s face it, with spammers and phishers and every other kind of creep out there, its really hard to state that a person visiting your site is who they claim to be. So how can I state that I am who I say I am in a trustworthy way. You could think of this as something like trying to validate that an email came from the person listed in the “from”.
On the internet just about everything is easy to fake, only encryption can really help. So we come to Public/Private key encryption. As I have stated before PGP is only good for anonymous and psuedo-anonymous encryption, but actually any keypair that isn’t backed up by a statement from a trusted source is going to have the same problems. This is because without a trusted source, there is no validation that you are getting the key you think and not a well crafted fake. The only people capable of making trustworthy identity assertions are governments (ok, this is a bit of an exaggeration but its the closest to the truth as I am going to bother with), the only other group that is trying to make identity assertions are Certificate Authorities, like StartCom and Verisign. However, not all CAs have the same rules about validating the identity of its users.

The assertion of an identity is a tricky business, and I have set forth the plan earlier on how to make it reliable, but the ruling has been that relying on volunteers means that their is no reliability. Still, the ability for a user to associate a persona with a particular certificate, or group of certificate would be like having a choice of ID cards, some very reliable, like a drivers license, some not, like a library card. I see a great deal of value in making a CA a homesite, as making a CA a membersite.

As a homesite, users could have a choice place to share their data from, that is authoritative. As a membersite, a CA could speed up user registration.

Either way there seems to a lot of reasons to make the association between a user-centric account, and a CA account or certificate.