[I'm trying to catch up on these threads, my apologies for the delay. I
don't have time to respond to every message, unfortunately.]
Ian G wrote:
If that was true, there would likely be an agreement between Mozilla
and Verisign (following the above RPA tradition) explicitly giving
Mozilla permission to RELY.
I'm not Mozilla, so I guess we have to ask: Frank, is there any
such agreement that explicitly gives Mozilla permission to RELY?
We (Mozilla Foundation) do not sign explicit agreements with CAs
regarding inclusion of root certificates, and never have to my
knowledge. Whether our dealings with CAs result in an implicit
contract/agreement is a question that (as a non-lawyer) I'm not prepared
to express an opinion on.
Whether it's a good idea to have such agreements in future is an open
question, and I don't have any useful thoughts on it right now. However
I will say that in terms of our ongoing relationship with our users, at
least for Firefox, the relevant legal framework will be that outlined by
Harvey Anderson (general counsel for the Mozilla Corporation) in his
series of blog posts at <http://lockshot.wordpress.com/>. Any explicit
agreements with CAs would have to be consistent with that framework.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
