On 01/13/2009 10:15 AM, Rob Stradling:
Eddy, I do think that the Mozilla CA Certificate Policy should cover
*all* "actual" problematic practices. In this particular case, I think that
a blacklist of unsupported/non-allowed/not-recommended algorithms and/or a
whitelist of supported/allowed/recommended algorithms would be very useful
information for the CAs.
Useful yes, up to certain extend. If there is too much information in
the policy, it will start to be problematic. The policy shouldn't be
changed every here and now and I think this is the position Frank
represents too.
If Mozilla ever does decide to pull a CA's Root for whatever reason, wouldn't
it be so much better if Mozilla could say to them...
"CA X, you have no excuse. You have clearly violated clause N of version
Y.Z of the Mozilla CA Certificate Policy, which you had previously agreed to
adhere to"
...rather than...
"CA X, you took your eyes off the ball. You really should have been
following all of the discussions on mozilla.dev.tech.crypto more closely and
assuming that any opinion expressed might become Mozilla's official policy at
any moment. And you really should have assumed that violating
any 'potentially problematic practice' could give us cause to pull your Root
at any time"
?
I simply don't think this is how it works. But to your last question,
the answer is yes, let me explain:
Before Mozilla yanks any root (which isn't something Mozilla does for
fun really), Mozilla will confront the CA with the concern and assumed
risk concerning the practice of the CA.
- Mozilla will give the CA reasonable time to address the concern -
where "reasonable" really depends on the severity and scope.
- The CA may have the opportunity to convenience Mozilla also otherwise.
- The CA should present its proposal about how it intends to address the
concern raised.
- Should the proposal be acceptable to Mozilla, Mozilla will follow its
implementation.
- Should the CA fail for whatever reason - by preference even - to
address the issue, Mozilla will propose a dead-line and remove the root
thereafter. A CA may clearly decide that it's not going to address the
concern of Mozilla and prefer to have the root removed. Or Mozilla may
change its mind after understanding the counter-argument of the CA.
Additionally, a concern and reason for potential removal doesn't have to
be listed in the problematic practices or other documents even. It might
be a concern which is very specific to a certain behavior of a specific
CA which doesn't require to have it addressed otherwise.
To put it simply: I would really like Mozilla's expectations of the CAs to be,
on an ongoing basis, 100% clear.
Yes, this can be handled however outside of the Mozilla Policy, similar
to the FAQs of Microsoft's Root Program for example. I suggest however
that potential by-law locations be published in the policy. Those
by-laws may be changed more frequently than the policy itself.
Which reminds me....we need to start re-confirmation of EV audit
statements soon to make sure they are up-to-date.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto