I've created a new draft 0.8 of the Mozilla CA Certificate Policy:
http://www.hecker.org/mozilla/ca-certificate-policy
I know everyone has been been distracted by the punycode controversy (my condensed opinion: yes, registrars *should* do something about it, yes, CAs *could* do something about it, but regardless of what they do we *have to* do something about it), but I still want to keep moving toward a final draft of the CA policy.
Currently I am considering making the following changes from draft 0.8 to draft 0.9:
* Clause 5: Someone suggested via email that the requirements of paragraph 5 (provision of some relevant service, public disclosure, operating to acceptable criteria, and third party attestation) be expanded to include all CAs whose certs are distributed with Mozilla-related software, not just new CAs applying to have their certs included. This would give us the leeway to go back and re-evaluate existing CAs as we had the time to do so.
IMO making this change could be as simple as changing "We require that all such CAs:" to "We require that all CAs:", i.e., delete the word "such". However it might be more clear to split clause 5 into two clauses and add some additional language:
5. We will consider adding certificates for additional CAs to the
default certificate set upon request. 6. We require that all CAs whose certificates are distributed with
our software products:* provide some service ...
* Clause 7: For a "qualified third party" not otherwise authorized to do CA evaluations we require that there be "public information regarding the third party's ... reputation for honesty and objectivity." I think that this is redundant, and should just read "public information regarding the third party's ... honesty and objectivity" (in other words, delete "reputation for").
* Clause 8: For evaluators who are not, e.g., accounting professionals or government-authorized test labs we require that they "[have] no financial or contractual relationship with the CA". But what if a volunteer wanted to assist a CA with an evaluation, and the CA wanted to reimburse the volunteer for any expenses incurred as part of the evaluation? The clause as written would seem to prohibit such arrangements, since it would arguably constitute a "financial relationship".
I didn't intend to rule out such arrangements (which IMO are acceptable), and if others concur I'd like to change the language to clarify this. I'm not sure of the best language to use, but I was thinking about something like the following:
8. By "independent third party" we mean a person or other entity who
is not financially compensated by the CA (except possibly for
reimbursement of necessary and reasonable expenses incurred during
an evaluation) and is not otherwise affiliated with the CA, *or*
who is bound by law, regulation, and/or a professional code of
ethics to render an honest and objective judgement regarding the
CA.Note that I added the phrase "not otherwise affiliated with the CA" to address the possible case where a CA employee works as a volunteer.
This added phrase in turn introduces a possible ambiguity: As written the proposed revised clause would seem to permit the "independent third party" to be affiliated with the CA as long as they are "bound by law, regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA". This reminds me of Ian's comments about trusting internal evaluations of CAs in cases where there's some law or regulation (e.g., Sarbanes-Oxley) that might cover such evaluations.
I don't know whether to tolerate this ambiguity or eliminate it (i.e., by extending the "not ... affiliated with the CA" requirement to cover all cases). I welcome your thoughts on this issue and on the other changes proposed above.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
