I've posted a new version of the "policy details" section of the CA certificate that discusses CA-related risks/threats and the evaluation criteria for CAs intended to address those risks/threats. The new material is confined to the following two questions:
http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/#risks http://www.hecker.org/mozilla/ca-certificate-faq/policy-details/#criteria
I knew there was something else I forgot to mention: Re my comments on the typical user, the language about typical users not voluntarily displaying security-related information is really a fancy way of saying that typical users are not going to be clicking on lock icons and inspecting the details of certificates, except possible when they get a warning message that offers them an option to "view certificate" (and even then they may not take advantage of this offer, or know what to make of it).
Thus arguably the only cert- and CA-related things that matter to typical users are things that would cause a warning message to be displayed to the user given default preference settings. If, for example, a CA issues a cert with false information, but the false information is for attributes whose values are not checked by Mozilla or displayed to the typical user by default, then as far as the typical user is concerned the truth or falseness of the information is irrelevant, and looking at it from the point of view of a typical user arguably there is little or no point in having CA evaluation criteria relating to verification of that information
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
