I don't want to get bogged down into the discussion about *how* to
write/update the policy regarding the Email trust bit at this point in
time. If someone commits to take the time to do some research and become
familiar with this area, their proposal for how to update policy
regarding the Email trust bit will most likely evolve before they
propose solutions here.
We are indeed asking for:
(1) A one time effort to define/improve policy around the Email trust
bit. (after doing some research, and understanding the situation)
(2) Occasional refinement to the policy
(3) Evaluate the requests to enable the Email trust bit
(4) Improve the S/MIME code that folks are saying has not been maintained.
smaller amount of time?
I think that the work can be done slower with a smaller resource
commitment. The point is that someone needs to make some sort of
commitment to work regularly (at some level) to address the concerns
that have been raised (and do the things listed above).
Could the CAs be required to do most of the work to
demonstrate their compliance, and only require the dedicated person to verify
the documentation for plausability?
That's basically how it works today. But we need someone to figure out
what policy documentation and audit criteria the CA should be required
to provide and meet.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
