And in continuation to the other posts I made:
- Do we require an audit in the Mozilla CA policy because we want to have a third party confirmation about the CAs infrastructure and full implementation of its policies or do we require an audit just for its sake? - Do we require minimal validation requirements, because we want to make sure that users can securely use certificates issued by the CAs in NSS or do we require it because it looks good? - Do we recommend separation of roots and preferable online CAs to be intermediate CAs and not issuing directly from the roots themselves because we want to prevent possible key compromise of online issuing CA certificates and protect our users, or do we recommend it so that CAs can ship such intermediate CA certificates via remote download and key storage in softwares? (not to mention a standard requirement of having such keys stored securely)? - Do we have a policy, because we see the need to define, govern and control up to a certain extend how CAs operate and maintain a certain standard and quality of such CAs in order that users can securely use the Mozilla software or do we have such a policy because it makes a good impression? - And what is it that we want? What are the principals guiding us? What is our stated goal and what is it not? If we don't implement and protect our own policy such as audits by third parties, then lets get rid of this requirement. If such audits doesn't include the whole CA infrastructure then we don't need such a requirement at all. If domain validation becomes a joke and effectively useless by issuing them for ten years, than lets get rid of this requirement too. If chained CA certificates can be shipped via remote download and private keys of chained CA certificates stored in software, then lets get rid of the relevant recommendations as well. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
