It appears that Nick Lockheart <lists@xxxxxxxxxxxxxx> said: >The Mozilla Foundation rolls its own CA. This CA key pair is internal >to Mozilla, and doesn't need signed or approved by anyone. > >Mozilla uses the Mozilla Foundation's CA to sign all of the server >Certificates for their own services. > >This Mozilla CA does not sign anything other than services owned by >Mozilla. ... > >Mozilla places the public CA Certificate of the Mozilla Foundation into >all of their browsers. This is the *only* CA Certificate that comes >with the browser. > >This creates a secure channel from the browser to the browser vendor, >which I will call BROWSER SECURE CHANNEL. That is all fine, but the Financial Services Association of North Korea can do the same thing. At some point you need to decide which entities you trust a priori, from which you can chain other entities. Once you've done that it doesn't really matter whether it's the CAB's list of signers or the IANA DNSSEC root, or a cert in a browser from a vendor you like. R's, John
