For the sake of the credibility of the policy, this has to remain an agenda item, if only to warn CAs not to be complacent :)
For the record, I agree, and I believe I explicitly noted this in the last draft policy.
Whether you *ever* have time is an open question, which is just another reason why I think inevitably there will be a drift towards an asymmetric CA policy (where not all CAs are equal). It's the only way to manage the divergent requirements, economically speaking.
By "asymmetric CA policy" are you referring to the issue of how we treat incumbent CAs vs. new applicants, or to some other division of CAs into different classes?
The concept of using a reputable firm to 'check the books' of a company derives from the old days where to actually get to the books required amounts of travelling and quite specialised knowledge in accounting and so forth.
These days we have the net. We also have a whole host of idle experts out there. In the Digital currency world we promote what we call open governance where the users are responsible for auditing the institutions. It is an evolving concept, not without controversy, but it does do one thing extraordinarily well: it allows trust to be aggregated and disseminated without large amounts of money being spent, and without relying on excessive secrecy.
Again for the record, I understand the point you're making, and I am sympathetic to your vision. However I would make the following counter-points:
If CAs retain their present role (the world doesn't move to the self-signed model you advocate) and CA activities are undertaken primarily by formal commercial entities, then while there may be a "whole host of idle experts" out there with an interest in how CAs operate, there won't be sufficient transparency to let them properly evaluate CAs, and "open governance" will be a non-starter.
Now if in the future we continue to have CAs in the present sense, but we see CA activities be taken on by more and more non-profit groups like CAcert, then your vision would have more of a chance of being realized. However this still would depend on the non-profit groups being more open than the current commercial entities, and we can't necessarily assume this a priori. (In the wider world of nonprofits there are groups that are just as nontransparent as commercial companies.)
Even if there is more transparency with nonprofit CAs then a move to a more open and less formal model of CA governance and evaluation would be a major cultural shift given the history of PKI and CAs. As someone who is by temperament a reformer rather than a revolutionary, and whose scope of action is limited by the need to achieve at least a rough consensus, my approach is therefore to move forward incrementally (but move forward nonetheless).
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
