> Frankly, if a CA > acts up -- you pull them out.
People say that, but has anyone done it? Has any CA been pulled, ever? And what for? How hard was it to do?
Please compare the built-in CA list for Communicator 4.7x and mozilla (any recent version). IIRC, mozilla's list is smaller. Yet it was derived from Communicator's list. If my memory isn't mistaken here, then CAs have been pulled from the list.
Netscape's original policy, IIRC, was that CAs paid a fee to be included in the list until the next "major" revision of the software, at which point the list would start fresh.
Imagine if a CA instituted a policy of charging
a disconnect fee.
I'd really rather stop these straw men.
(Or, imagine *any* reason for pulling the CA.)
Perhaps it's time for a "major" revision of the CA list.
It is important to have an independent standard against which to judge CA
behavior (and WebTrust seems to be the most likely candidate).
This is an important point. So, the question then is, how does WebTrust do it? How does it decide, process, analyse and advise a decision to drop a CA? Does it indeed do anything, other than decline to conduct another audit?
That's a fair question. Another is, what does it take to convince WebTrust that some party they've audited is no-longer following the audited practices, and therefore that party's seal ought to be reconsidered.
I recently learned that at least one "authenticode" cert has been revoked by its issuer because the issuer believed that the party to whom the cert was issued was violating some rule, probably some aspect of some agreement. I'm not familiar with the terms of the agreement(s) to which an applicant must agree to receive an authenticode cert, but that might be instructive to find out.
[1] I think it's fair to say that the origins of the CA market were a case study in a pure anti-competitive market. Legislation was proposed and pushed through by CAs in some places that created a barrier to entry.
That occured well AFTER Netscape first offered clients with CA lists.
AFAIK, those laws presented barriers to CAs wanting to do business with the state. But they didn't stop CAs from getting into Netscape's list. And I think they have no bearing on mozilla, unless mozilla decides they do.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
