In the proposed policy, I consider the lack of objective,
verifiable criteria for including or removing a certificate to be
a very serious deficiency. I know this is somewhat addressed in
the meta-policy, but I don't know what standing that will have
relative to the policy itself.
The meta-policy is intended to "drive" the policy and related documents (e.g., the FAQ); if something is in the meta-policy then that something should be addressed somewhere in some form or other in the other documents.
Now, as to the question of criteria, what I will do is to revise the policy document to specify that decisions made re CA certs will be based on documented, objective, verifiable criteria. However I am not going to put a criteria list in the policy itself, since I want to keep it short. I think a better place would be the policy details section of the FAQ.
(And BTW, note that the new version of the FAQ does mention some general criteria as to why certs might be removed.)
Proposed policy item #5 should be revised to require a bug report
rather than an E-mail message. This would formalize the addition
of a certificate to the database and allow public review of the
request. It would also facilitate tracking such requests. For
this purpose, a new bug database component should be created for
the Browser product: CA Certs.
I agree that requests should be entered into bugzilla and tracked that way. I also believe that we should allow CAs to enter requests directly into bugzilla (as opposed to sending an email message), and I am revising the policy to state that explicitly.
However I do not agree that we should require CAs to use bugzilla instead of email to submit the original requests. Not everybody knows how to use bugzilla, and there's a little bit of overhead to get yourself a login before you can submit a bug report. I think it would be better to allow CAs to just send an email if they don't want to deal with bugzilla; the "module owner" for certs (i.e., the person getting the [EMAIL PROTECTED] emails) would then enter the bug report on behalf of the CA, and add the CA contact person to the CC list for the bug.
Note that this is essentially the same policy we handle for reports of security vulnerabilities: you can enter a security-sensitive bug yourself, or just email your report to [EMAIL PROTECTED]
(Reminder to myself: I need to ask the appropriate mozilla.org person to add a new component "CA certificates" to the "mozilla.org" product in bugzilla. This will make it easier to track requests and ensure that requests submitted via bugzilla will get to the right owner.)
In the FAQ, several questions deal with certificates with
restricted or limited audiences. The FAQ should make clear that
users can indeed import CA certificates of their own choice.
Agreed. I was going to address that in the "background information" section of the FAQ, which is primarily directed at end users.
Frank
P.S. I uploaded a new version of the policy document to
http://www.hecker.org/mozilla/ca-certificate-policy/
with the revisions mentioned above; the changes are in items 1 and 5. -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
