Frank, > No. I'm simply stating that there are CA-related issues which may not > warrant us having a formal policy on, but which we may have an opinion > on that we want to express. > > To take another example: our policy doesn't address the issue of whether > CAs issue end entity certs directly from roots as a standard practice, > as opposed to having roots issue CA certs to subordinates and then > having the subordinates issue end entity certs. Some people think that > root private keys should always be stored offline, and that it's a bad > practice from a security standpoint to use them in conjunction with an > online cert-issuing operation, even if the root key is on a hardware > device. > > I don't see us making it a formal condition of our policy that CAs use > only offline roots, and rejecting CAs that issue end entity certs > directly from roots. However it's quite possible that we may want to > publicly encourage CAs to migrate to use of offline roots, and perhaps > to maintain publicly available information on which CAs issue directly > from roots and which don't. We can also of course do such lobbying > within groups like the CAB Forum, and we will. However I don't believe > that precludes our discussing and taking positions on these issues in > the context of our public forums and web sites. > [Robin said...] We accept that Mozilla has valid and carefully considered points of view on issues relating to CA behaviour. I like your example of using intermediate CAs because it is a goal we share and something we push where we can, although there are commercial reasons that we still do not do it across the board. We accept the quality of the advice, and are grateful that it is not something you enforce in your policy.
Taking Eddy's issues on DV certificates, we can agree that his points tend to reduce risk. We could even try and promote those views in other forums where we interact with browsers and CAs. What we don't really want to do is commit to limiting our DV products while other CAs don't see the same limits. Either leave it as a "stated position" which would leave us room to promote it where we can but also to continue to compete on an equal footing in that market sector - or make it a stated part of your CA policy which will oblige all CAs to comply. Either of those options is fine with us, but don't ask us to accept (or to volunteer) unilateral restrictions because as a commercial organization we can't accept them. Regards Robin _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
