Gervase Markham wrote:
A small, but important addition to that one. One of the reasons for this argument is, that as long as the CA makes the decision and assigns the appropriate level to the certificate, the CA retains the responsibility and liability about its promises. Should a CA "screw up", it has to live up to its promises (which the assigned level implies obviously) and in case of a problem needs to take the responsibilities (Actually nothing new here). However if Mozilla takes (more) control over it, then it might be also liable in such a case, which it rather shouldn't, since it doesn't really have any control about the issuance of the certificates. Defining the policy is the legal framework which Mozilla provides to all parties involved, but not the service itself, therefore shifting the responsibility and liability to the CA makes sense in this respect.Actually yes. In my proposal this is exactly the case, the same as today Mozilla trusts the CAs, that they adhere to the Mozilla Ca policy, which defines in that respect also a minimum level of verifications for example (confirmed by a third part audit). You might argue that this is not enough and come up with a alternative proposal concerning that. However we were thinking about it too and came to the conclusion that this might be the right thing to do.How does your proposal ensure that the CAs stick to what they have promised - i.e. that the OID they put in the certificates corresponds to the level of validation done? Do we just have to trust them?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
