On 10/23/13 2:20 PM, Jan Schejbal wrote:
Hi,
there have been repeated issues where CAs were claimed to be
untrustworthy due to prior misconduct not related to certificates.
Usually, this was dismissed by saying that no certificate was issued
contrary to Mozilla Policy, and thus there is no reason not to include a CA.
All, I know we've tried to solve this before, but let's try again.
I've add this to
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
~~
- Figure out a way to draw a line to say that certain types of actions
cannot be taken by the same company/organization that includes the
operation of a publicly trusted CA. Things to consider:
-- Government sanctioned/initiated/controlled projects
-- Legally forced participants
-- Ability for one corporation to completely support a spying system
like PRISM functionality (physical lines, access nodes, data
center/hosting resources, backbone level Internet controls, DNS etc.)
*newly added:*
- Address issue of trustworthy CAs
-- knowingly were involved in active attacks against internet users,
e.g. by installing software without user consent
-- have a conflict of interest by being involved in the development or
sales of software or hardware designed to perform man-in-the-middle
attacks on SSL connections
~~
I think it is time to start drafting the next version of the Mozilla's
CA Certificate Policy.
Perhaps a good place to start is the policy framework that Peter
suggested:
https://groups.google.com/d/msg/mozilla.dev.security.policy/SzSGHbrcBe0/hSGt50rJfYMJ
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
