On 10/17/2013 3:35 PM, Kathleen Wilson wrote: > All, > > I think we should have a discussion about the level of involvement > required of a CA to go through the root inclusion process. > > How much of the process can a CA pay someone else to do? > > What should the CA do on their own to demonstrate their own commitment > to running a trust anchor? > > I am asking these questions because of comments 16 through 21 of > https://bugzilla.mozilla.org/show_bug.cgi?id=844163 > > I will appreciate your thoughtful and constructive input on this topic. > > Kathleen >
I believe the point of contact should be someone with authority to speak on behalf of the CA, to make commitments for the CA, and to direct whatever changes the review process requires. That person should also be in a position that can be held accountable by the CA. Finally, it needs to be a specific corporeal (not corporate) person, definitely not some generic E-mail address as cited at <https://bugzilla.mozilla.org/show_bug.cgi?id=844163#c21>. Note that the authority to make commitments for the CA is key and would exclude any outside consultant. I am especially opposed to including the roots of CAs who lack the technical and administrative capabilities to act on their own. Such a lack might indicate other inabilities that could impair the trustworthiness of their operations. -- David E. Ross <http://www.rossde.com/> Where does your elected official stand? Which politicians refuse to tell us where they stand? See the non-partisan Project Vote Smart at <http://votesmart.org/>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
