That's a very good question. The most important part of the answer to it would have to be: don't discount what they say.
However, I have a suggested strategy for reviewers: don't limit your review to only those trust bits that are initially requested. This way, if there is an amendment to the bug which requests additional bits to be set, then we don't have to waste our time doing an entire new review of the CP/CPS/public information to figure out if those new trust bits are also appropriate. For each type of trust bit requested, what are the minimum requirements for inclusion? TLS server: must perform at a minimum domain control verification email: must perform at a minimum email account control/access verification software: must perform legal identity verification? EV: Must perform corporate legal identity verification, must have policy OID for embedding, must have a different audit, cannot use MD5... (come to think of it, I think I'll read the EV document again and figure out all the "must" clauses.) I'm asking this because I think a template which includes a statement of requirements would be an exceedingly good thing for people undertaking reviews for Mozilla CA program inclusion -- and would open up the process to people who have less interior working knowledge of a CA. This would also allow people who are otherwise untrained, but who want to take an interest in their security, to understand what the reviews entail and what Mozilla's priorities are. (for example: Please identify the section of the public documentation which addresses each point below: SERVER: Performs domain control verification How does the CA perform this? (if not performed, answer "N/A"; if not described, answer "Unspecified") SERVER: Performs domain control change revocation How does the CA perform this? EMAIL: Performs email account control/access verification How does is it performed? ...and so on.) -Kyle H On Tue, Feb 10, 2009 at 3:38 PM, Ian G <i...@iang.org> wrote: > On 10/2/09 23:02, Eddy Nigg wrote: >> >> On 02/10/2009 09:42 PM, Frank Hecker: >>> >>> And in any case, I don't see people being as much concerned about having >>> more Mozilla-employed people involved, but as getting more community >>> feedback. And I don't have any good answers there because it depends on >>> having more people willing to volunteer their time. >> >> I too think that one person dedicated to CA matters should be >> sufficient. Perhaps there are some from other CAs and/or otherwise >> knowledgeable in this field willing to spend ONE hour per week as a >> contribution to Mozilla? Yes, I'm looking at you! > > > I thought about that too, but discarded it. Certainly some CA input is > useful, but the danger is that it becomes overbearing and selfserving, and > could lead to some form of tit-for-tat war between the CAs (assuming that > there are multiple rounds of reviews, which we would probably all agree is a > good thing). > > The real problem is, how do we get independent people to stick around and > comment? > > > > iang > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
