Ben Bucksch wrote:
Nelson Bolyard wrote:
A contract would probably have commitments both ways, implied if not
explicit.
Is that a bad thing?
Yes. We don't have *legal* control to yank roots anymore, only for the
reasons explicit in the contract. Right now, it's just a practical
problem.
For example, if we decided to drop all-EV-roots (which is a
possibility, in some form or other), we would not be allowed to do
that anymore!
I guess, Nelson meant, that there are commitments from both sides,
which doesn't have to be a bad thing. Obviously the Mozilla CA policy
does make some commitments to third parties, but much more to the
general public, than to the CA. Having a CA acknowledge the rights and
limitations of the policy is necessary, the same way as Mozilla
acknowledges the rights of others in the policy (acknowledged by
publishing the policy in first place).
But the situation currently is, that no CA ever acknowledged (agreed to)
the Mozilla CA policy and therefore a CA could sue Mozilla if its root
would be removed (something which would have to be confirmed by a court
of course). By explicitly confirming this right of Mozilla by the CAs,
might reduce the chance for a law suite in my opinion...(It still can
happen - even rightly so - but that's another story). I think specially
today, it's not just about a practical problem to remove a root CA, it
might be outright difficult....
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
