I've created a new draft 0.8 of the Mozilla CA Certificate Policy:
http://www.hecker.org/mozilla/ca-certificate-policy
The main substantive changes are as follows:
* Changed references to "users" to clarify that we're referring to users of the MF-distributed products.
* Added a requirement for CA disclosure of business practices in the form of a CPS. Besides being a good idea in general, it's typically the CPS that is referenced in auditor/evaluator reports, so it's needed to provide a more complete picture of the CA's conformance to whatever criteria are used to evaluate its operations.
* Removed the explicit reference to X509v3. I consider it implicit in the reference to "related standards" and I'm not sure how useful it is to single out X509v3 in this context.
* Explicitly allowed for the possibility of the Mozilla Foundation doing its own CA evaluations. Note that I worded this clause the way I did because in practice such evaluations -- if ever done -- would almost certainly not be done by actual MF employees but rather by someone else designated by MF staff to act on their behalf.
* Added note that we will reject the requests if we don't get the needed information in a timely manner. In part this is to motivate me to actually resolve requests with a "yes" or "no" answer, as opposed to letting them sit in Bugzilla without action. (I'll definitely plead guilty to this, and I apologize to the CAs for which it's happened. I'm going to try this month to go through all the CA-related bug reports and resolve them one way or another.)
As always I welcome comments, criticisms, and suggestions for changes; thanks to those who've commented thus far, whether in this forum or via email. If you do have suggestions for changes please submit the actual language you'd like to see in the policy.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
