Frank Hecker wrote: > > As promised in my previous message I managed to find some spare time and > do a revised draft of the CA certificate policy and related documents; > in particular we have the core policy proposal: > > http://www.hecker.org/mozilla/ca-certificate-policy/ > > the proposed details of the policy and how it would be implemented: > > http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/ > > and (for good measure) an HTML version of the metapolicy I posted earlier: > > http://www.hecker.org/mozilla/ca-certificate-metapolicy/ > > Note that the URLs are different than the URLs I used earlier, as I > decided to change the names of the documents slightly. > > At this point I think the most important thing missing is a detailed > discussion of the threat model and the assessment criteria that flow > from it. I'm sorry I haven't had time to digest all the postings that > discussed threat models and to try to synthesize a proposed consensus > model; that will be my next task when I find time for it. > > I also apologize if there were comments and suggested revisions > submitted that were not reflected in these new versions. I also need to > go back and review those submissions to see if there's anything I'd like > to incorporate in the next draft. > > And finally, a big "I'm sorry" to all the CAs out there who've sent in > requests thus far, requests which have gone unanswered and (in many > cases) unacknowledged. I'm really not in a position right now to approve > or deny requests -- and in any case I may need to confine my activities > to getting the policy written, and then turn the duties of evaluating > requests over to someone else who has the time and knowledge to do a > better job of it.
In the proposed policy, I consider the lack of objective, verifiable criteria for including or removing a certificate to be a very serious deficiency. I know this is somewhat addressed in the meta-policy, but I don't know what standing that will have relative to the policy itself. Proposed policy item #5 should be revised to require a bug report rather than an E-mail message. This would formalize the addition of a certificate to the database and allow public review of the request. It would also facilitate tracking such requests. For this purpose, a new bug database component should be created for the Browser product: CA Certs. In the FAQ, several questions deal with certificates with restricted or limited audiences. The FAQ should make clear that users can indeed import CA certificates of their own choice. -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
