First, at the moment, and for the foreseeable future, I will be acting under my previously-announced policy of approving only CAs that have passed a WebTrust for CAs audit or a "WebTrust-equivalent" audit. I have not given up on crafting a policy that would go beyond that, but it will have to wait for 2005 until I have time to work on it.
This is obviously disappointing to those who are not going the audit route. But given the volunteer nature of the project, and the unfinanced nature of CA addition, I guess they will have to live with their disappointment :)
Looking back, clearly I was being overly ambitious in trying to simultaneously address two issues: what the CA criteria should be, and how CAs should be evaluated against those criteria. Going forward I think at least for now we should go with the WebTrust criteria, and then we can see how well the "WebTrust-equivalent" requirement covers the other types of audits/evaluations that we've seen for CAs or that we might see in the future.
When I have time over the next week or two I'll post a new policy draft that basically codifies my current position.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
