> Robin, just to answer this one... > > Robin Alden: > > [Robin said...] > > A fair point, and perhaps that is a whole other problem. Our CA > *does* have > > roots in NSS. > > > > This is correct. However your CA roots are considered legacy roots > which > were inherited from the Netscape era. Many critics have rightly pointed > to the fact, that these legacy roots never underwent a review nor > proper > inclusion process. This is the reason why Frank made your request for > upgrade conditional and a general inclusion request as if this were new > roots. Your CA doesn't enjoy immunity because you have these legacy > roots in NSS, nor does any other CA have that privilege, no matter if > legacy or not. [Robin said...] I never suggested we wanted immunity. I asked why you are only now defining policy in this matter.
> > > Is this: > > a) an abstract discussion to help Mozilla crystallize the details of > its CA > > policy, > > > > No! Mozilla does have a CA policy and defined procedures on how CAs are > included into NSS. This also includes a public discussion where > relevant > issues with the "to-be-included" CA can be raised. I made use of this > right and raised my objection to the inclusion of your CA into NSS > under > the current circumstances. No decision has been made so far however. [Robin said...] I acknowledge your right to discuss it and to raise objections, but surely the discussion is to about whether we meet the criteria in the CA policy - and perhaps going so far as to say what we must change so that we do meet the criteria in the policy. Surely Mozilla has to publish its policy on what its requirements are. I struggle to believe that Mozilla wants to negotiate product details with every CA it takes roots from. > > > b) a discussion about what changes to CA behaviour Mozilla would like > to see > > (and may insist on) from some point in time, or > > > > No! Mozilla has the right to not include a particular CA certificate in > its software products, to discontinue including a particular CA > certificate in its products, /or/ to modify the "trust bits" for a > particular CA certificate included in its products, *at any time and > for > any reason*. This includes (but is not limited to) cases where we > believe that including a CA certificate would cause *undue risks to > users' security*... > > (c) Copyright of the Mozilla CA policy [Robin said...] Granted, but as a commercial organization Mozilla also has to apply the same standards to all CAs. If you said that Mozilla embeds roots after negotiation with the individual CA then that would be one thing, but the CA policy says something different. Yes, you could discontinue a root for "any reason", but if you do not apply the same reasoning to other CAs then you lay yourself open to claims of unfairness. Surely you would incorporate that "reason" into your CA policy for all to follow. If your objections are not ones that are to be included in the CA policy then I have to question the process as a whole. > > > c) a trial to determine whether our CAs should be removed from > Mozilla > > products? > > > > No, it's the process of considering the inclusion of your CA roots and > upgrade to EV status. This is not a trial, as Mozilla has refused the > inclusion of CAs already entirely in the past or made the inclusion > conditional to certain aspects to their CPS and implementation. It has > nothing to do with your CA per se, this is due process of the inclusion > process. [Robin said...] And it is the nature of the inclusion process that I am beginning to question. Your CA policy says "We will make such decisions [about inclusion] through a public process, based on objective and verifiable criteria as described [in the CA policy]". >From my point of view outside Mozilla I read your CA policy and complied with it. Now you have some more criteria which aren't in the policy. That makes the game considerably harder for me to prepare for. > > > We have certainly strayed from my point of entry into this process > which was > > to ask to have these 3 existing roots enabled for EV. > > > See above (first section) why this isn't the case! Additionally, to all > of my knowledge, other CAs had to undergo the very same process as well > and your situation isn't unique! [Robin said...] I disagree. We *have* strayed far from the starting point. Frank was clear why he chose to treat our request as if it were for initial inclusion and I can see his reasoning. It still leaves us a long way from where we thought we started. >From Frank's most recent reply I accept the reason for the consideration of all aspects of our operation, but perhaps that separation should be made more clear between those matters we are discussing here which are relevant to the EV enabling of our roots within (what we hope to be) a short timescale and those matters which pertain to the future direction of DV which we are prepared to discuss but which are not intrinsically linked to the EV issue. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
