> István, even though I understand your frustration and agree with the > basic understanding that requirements should be published > accordingly, I also must state there has been at least one issue > (notably with your OCSP responder I think) in addition to our
I think the OCSP issue has been resolved: As I recall, on the short run it does not cause problems with the current release of Firefox. However, we accepted your arguments, we made some changes in our systems and promised further changes in the future, so that it shall not cause problems on the long run either. > inability simply not to be able to read the CP/CPS. As more and more > CAs from Non-English speaking countries are applying for inclusion, > Mozilla will have to find a solution (in this or the other way). > Please note that many CAs from such countries publish their CP/CPS in > English, sometimes in addition to their native language. This is in > my opinion expected behavior and practice in this industry - > specially if the CA is supposed to be included in a product used to > be world-wide and hence the relying parties. I may accept this statement, but if there is such a requirement, it should be stated in advance. If there is no such requirement, it should not hinder the process, but there should be defined ways to resolve this issue. >> Being a long-term Mozilla fan, I am really sorry to say that the >> same procedure at Microsoft was faster, much better defined, less >> ad hoc, and a lot more transparent. > > Agreed, Microsoft is a professional company which doesn't involve any > input from a community as with Mozilla. But how did they verify and > understand your CP/CPS? Did they rely solemnly on the audit report? > Does your OCSP responder not present a problem to them? We were requested to submit further documentation on the audit in English. We had the detailed report of our auditor translated and we sent it to Microsoft. (This is a non-public document that describes our systems in depth similar to our CPS.) They did not examine our CPS. (If we had been asked to submit a translation of the current CPSs, we would have done so.) They relied on the audit statement and on the detailed report of our auditor. We were asked a set of questions that were public before the process, we had some discussion concerning some of them (especially about the extended key usages). At that time, Microsoft stated that OCSP responders under a separate root are not supported, so our OCSP root was not included in Windows. However, the OCSP URL in the AIA field was not raised as a problem. Other issues were not raised during the process. Whatever I criticized was not the scrunity of the process at Mozilla, but its transparency and the way we can make our plans concerning it. I mentioned Microsoft, because there we had a much better idea of what was going to happen at what time, what was examined, what the exact criteria was, and when they wanted us to submit some documentation, they asked us to do so. > On to István's comments: > >> Perhaps, making such (discriminatory) criteria mandatory could >> still be better than enforcing it without stating it clearly. > > I don't think this criteria exists. I for one would not like it. > But, there is, IMO, a need for something, and something short and > simple was what I was exploring. > > I would point out that all my comments are aimed at the future. I > wouldn't want to slow down any current contender. You seem to meet > the rules and practices, so no need to dwell on this. > >> Being a long-term Mozilla fan, I am really sorry to say that the >> same procedure at Microsoft was faster, much better defined, less >> ad hoc, and a lot more transparent. > > OK! I think I for one would really like to hear a summary of that. > I'm not trying to stir the pot, just wondering whether there is any > way to improve the current Mozilla process, either up or down. OK, thanks, I tried to summarize the main points above. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
