In the past, the largest single support burden for NSS and PSM developers and QA folks has been the relentless stream of "bugs" filed by OpenSSL users who made certs that don't work, and who just assume that the problem must be a mozilla bug. This has primarily been a problem with certs from CAs not in mozilla's trusted CA list.
There have been rather few problems with certs from trusted CAs, which is just as it should be, and is how it must remain.
It simply MUST NOT become the case that everyone who has a problem with a cert from a trusted CA receives their customer support from mozilla. CAs cannot rely on bugzilla.mozilla.org as their bug tracking system.
So, I think mozilla foundation's trusted CA meta-policy needs to say something to the effect that a trusted CA cannot create a support burden for mozilla and its developers.
Further, I believe the policy needs to state that trusted CAs MUST provide all technical support for (a) their "customers" (the parties who obtain certs from them), and (b) their "relying parties" (people who rely on their certs, e.g. while web surfing).
Finally, I think that the policy should state that a CA whose certs cause too many problems maybe removed from the trusted CA list. We need to spell out what the threshold is, and it needs to be quite low.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
