Ram0502 wrote:
I'd like to see an indication of what information the CA is prepared to defend and to what extend they are making that assurance on identity (e.g. we assure you this is IBM, NY, US and provide warranty as follows) as well as some indication for signed software as to any policy they may have arround appropriate use such as requireing up front disclosure about what the software does.
If I'm not mistaken, it takes the entire CPS to state all that info. The "indication of what information" is the URL of the CA's CPS, IINM. Some CPSes are hundreds of pages long.
Now, if we could get a few standardized "profiles" of CAs, e.g. a standardized "high assurance" profile, and a standardized "low assurance" profile, then perhaps a cert could include an extension that says "this CA conforms to standardized CA profile number XXXX".
It seems to me that this idea of standardized profiles is essentially what ETSI was trying to accomplish with their "Qualified Statements", about which most participants in this group have had little good to say.
I'm not aware of any other efforts to standardize profiles.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
