Hi, > Is inclusion of a root CA in the major browsers a "shall issue" process > ? hat is, you meet the criteria and you get in ? Or is it a subjective, > political process ?
The process varies between browser vendors, with baseline requirements established in the CAB Forum. Audits are usually required. The process for Mozilla is open: there is a one-week time of debate in the group mozilla.dev.security.policy where everyone can chime in and help to analyse the inclusion request. Sadly, there are not that many participants, but that is understandable as the level of detail is high and understanding a CPS document is very demanding. There are some veterans, of course. My impression is that every voice is heard equally, and a summary of concerns then given at the end of the week. The CA is given a chance to fix that and can then be included. Rejections are extremely rare, I am not sure if I have seen even one in the past 3 years. It certainly was not more. I am not sure if some participants' opinion is given more weight than others (it might make sense), or how the resolution of concerns is handled afterwards. What I have seen repeatedly is discussion whether a CA operates for the general public (only those are deemed acceptable) or not. That seems to be a somewhat subjective criterion. What I have also seen was post-hoc debate about the inclusion of the Chinese CA CNNIC (CN-NIC), which IMO highlighted a shortcoming of the process: If participants do not have much time, the one-week discussion period may pass without many comments and a CA thus be included. In the case of CNNIC, many objections were raised afterwards as this CA had been allegedly associated with malware in the past; there was also concern the Chinese government might use it to issue the kind of MITM certificates we're worried about. No proof of any such activity could be given, and Mozilla decided that the fair approach was to keep them in. Ralph
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list email@example.com http://lists.randombit.net/mailman/listinfo/cryptography