But this strays so far away from the discussion here, which is to select a methodology for selecting CAs for inclusion in Mozilla.
I agree that this discussion sometimes broadens away from the key question. But, I suggest this is necessary to develop a policy that can survive.
It's fine to say that competition might make CAs competitive, but it wasn't always that way, and it may not be so in the future [1].
CAs being anti-competitive is a very key issue to the policy, and the policy should assume that manipulation for anti-competitive purposes will be the norm. CAs are going to be anti-competitive, if they can get away with it, and if money is involved. And, they will use any tool they can think of to reach their goals.
> Frankly, if a CA > acts up -- you pull them out.
People say that, but has anyone done it? Has any CA been pulled, ever? And what for? How hard was it to do?
Imagine if a CA instituted a policy of charging a disconnect fee. Nominally because its due diligence was ongoing and required to be closed down. Of course this is fair... and any business could construct a reason to do this, with its slow moving client base.
If however there was a challenge to this very fair and reasonable fee of $500 for disconnect, then no doubt the CA would fight hard to keep from being dropped.
(Or, imagine *any* reason for pulling the CA.)
If the CA was "active" and in the market place, I'd say the very first thing that would happen is that Mozilla Foundation would be sued in court and an injunction requested. This would be granted [2], and then it would take about 4 years to battle the case through, plus/minus a couple of years.
I think the notion that a CA can be "pulled" from the list if it misbehaves should be treated with intense suspicion. Also, I think I can comfortably suggest that the cost of pulling a CA will exceed the cost of adding a CA. In terms of time and analysis and emails and risk and user support.
So, it would seem sensible to design a policy whereby CAs did not need to be pulled. Now, I know this is all bad news (and I hate being the harbinger of evil tidings) but the CA business is not the walk in the park that some programmers wish it were.
> It is important to have an independent standard against which to judge CA > behavior (and WebTrust seems to be the most likely candidate).
This is an important point. So, the question then is, how does WebTrust do it? How does it decide, process, analyse and advise a decision to drop a CA? Does it indeed do anything, other than decline to conduct another audit?
iang
[1] I think it's fair to say that the origins of the CA market were a case study in a pure anti-competitive market. Legislation was proposed and pushed through by CAs in some places that created a barrier to entry. Luckily, legislators around the world caught on to the game and declined to follow the original model. Now, most legislation simply reserves the right to pursue an anti-competitive framework, rather than mandates it. Any policy should consider that this unfortunate past may arise again.
[2] In the normal vein of legal proceedings, injunctions would be granted. The injunction is granted to preserve the balance, pending the case being resolved in court. So, the assumption is that the party with the power has to defer its employment of that power until the issue has been heard by the judge.
In general, injunctions are granted. Further, they are not lifted (again, in general) until the resolution of the case. If incorrectly applied, your normal remedy is damages after the case (again, in general), not to have it lifted.
Consult your lawyers on this, I'm only talking from a low knowledge base: I got hit by one, and had to fight it. Luckily, the injunction seeker made mistakes which could be seen as deceptive, and the judge saw fit to drop the injunction. But that was considered highly unusual to have made such mistakes. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
