Frank Hecker: > Eddy Nigg (StartCom Ltd.) wrote: >> Nor am I a citizen of Zimbabwe, so it doesn't apply >> to me either... I guess I represent in that respect the majority of a >> typical user. >> > > I'm not sure where the reference to Zimbabwe came from, but never mind... >
LOL...I think that's because that country was just up in the news...it could have been any other country - USA, Denmark, Argentina....anything... > >> Nope, I guess we'll have to find something better then that (if at all). >> > > I'm still not clear on your exact objections to the Microsoft policy, or > what you would consider a better one. > > I can try to make a suggestion... First of all I'm guided by a few facts: I'm not aware that we can limit certificates in any form to whom the certificates are going to be issued and we can't limit about who is going to be a relying party. Even if a certificate might be primarily intended to be used in a respective country, it doesn't prevent such a certificate to be used anywhere on the Internet, being it for S/MIME, authentication or server. Therefore I don't see much difference between a so-called government issued certificate or a regular one. They act the same, behave the same and users rely on them the same. If such certificates are relevant for a typical user or not I don't want to decide and leave it up to somebody else. It doesn't have any effect on what the certificates are, however I suggest that this "requirement" of the policy be either updated or removed. Because certificates can't be limited (and localized versions with different roots isn't what I would suggest generally), we have to apply the same conditions and rules to such CAs. This means, their PKI must be audited according to one of our criterion by an auditor the policy defines as acceptable, The certificates must be issued according to the same requirements as all other certificates. In order to better control and know which CAs we are actually approving I'd suggest to exclude CA roots, if their sole or major purpose is the boot-strapping of other CAs. Instead each CA should apply for inclusion, we might however accept governments themselves as auditors provided the audit is confirmed according to one of our accepted criterion (I think this is what we did with TurkTrust, this would be possible with some of the Austrian CAs once they provide an acceptable audit confirmation, and this is what we should do with the Korean CAs). Beyond that I don't think we have to make any other changes or updates, which boils down to: - No boot-strapping CAs - Auditing of the complete CA infrastructure is a requirement This should apply to all CAs the same! This isn't exclusive to government CAs. (We might want to look into issues concerning localization of content presented in certificates, but that's an entire different issue (just remembered it because I mentioned TurkTrust)) -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
