I have just posted draft 10 of the proposed CA certificate policy:
http://www.hecker.org/mozilla/ca-certificate-policy
There are only two substantive changes in this version:
* I changed the language on disclosure of financial compensation (i.e., of independent evaluators by CAs) to read "publicly disclose" as opposed to "fully and publicly disclose"; in other words, I dropped the word "fully".
My motivation was to make it clear that we don't want and need to see a fully-itemized disclosure statement (e.g., "$5 for lunch at McDonald's" :-), we just need a statement about the overall compensation (e.g., "$2,000 for expenses incurred during the evaluation").
(For those coming late to the discussion, this requirement is really intended for the case of independent evaluators who don't fit the traditional mold of being accountants or goverment-authorized test labs, e.g., they might be volunteers being reimbursed for expenses.)
* I added a section discussing revision of the policy, and noting that such revision would be done only after public discussions (similar to what we're doing now).
As I did last time, I've attached a detailed list of diffs to the actual web page.
OK, now for the hard part...
At this point I face a decision: to try to revise this policy further, or to go ahead with the current draft as a reasonable 1.0 policy, with further work pushed to a 1.1 version.
My personal opinion is that the current draft does a good job of codifying and clarifying the current practices that I've been following, as well as allowing for us to incorporate new practices like the use of volunteer evaluators. On that basis I would be comfortable submitting this draft (or a very slightly tweaked version of it) to the Mozilla Foundation for consideration as the official 1.0 policy.
However, this draft does not address some of the larger issues that have been raised. In particular, as noted by Nelson Bolyard among others, the proposed MF policy as written requires that CAs be evaluated to confirm that their practices match their own policies and assertions (e.g., as expressed in the CPS, CP, etc.); the proposed MF policy does *not* go beyond that to attempt to put requirements on those CA policies, for example, to require particular assurance levels for CAs issuing particular types of certificates.
Should we attempt to change the policy to reflect these larger issues? For my part I am predisposed to adopting the current draft as a 1.0 policy, partly for the selfish reason that it's less work for me :-) More seriously, I do think that the proposed draft is consistent with the current state of affairs with regard to browsers and CAs, and is a good base for future policies that might be further-reaching.
I'm prepared to modify my opinion in the face of compelling arguments to the contrary. However I am concerned about getting bogged down in discussions about the right way to approach more significant changes to the policy, and not reaching consensus on actual policy language. See my previous response to Nelson (on 2/15, subject "Re: Low assurance SSL CAs") for a more detailed discussions of my concerns around the idea of expanding the requirements on CAs to include minimal assurance levels.
I'm also concerned about adopting a policy that implies or requires underlying implementation changes or (even worse) changes in the CA business as a whole, as I've previously noted in the metapolicy. (For example, some proposals imply or require additional browser UI or other changes, for example to display information to the user about the particular CA "class" or to recognize hypothetical standardized policy OIDs.)
It's not that I don't think these suggestions are good ideas; it's just that I think additional experimentation and investigation is needed in order to determine if these suggestions are doable and worth doing, and I don't necessarily want to wait on the results of that work prior to putting an initial 1.0 policy in place.
As usual, I welcome your comments on this issue, and in particular your opinions as to whether I should take this draft forward to the Mozilla Foundation for consideration as a 1.0 policy.
Frank
-- Frank Hecker [EMAIL PROTECTED]
Index: mozilla/ca-certificate-policy.html
===================================================================
--- mozilla/ca-certificate-policy.html (revision 358)
+++ mozilla/ca-certificate-policy.html (working copy)
@@ -142,7 +142,7 @@
<li>the party is not financially compensated by the CA;</li>
<li>the nature and amount of the party's financial compensation
- by the CA is fully and publicly disclosed; <em>or</em></li>
+ by the CA is publicly disclosed; <em>or</em></li>
<li>the party is bound by law, government regulation, and/or a
professional code of ethics to render an honest and objective
@@ -205,7 +205,12 @@
We will reject requests where the CA does not provide such
information within a reasonable time after submitting its
- request.</li></ol>
+ request.</li>
+
+ <li>We reserve the right to change this policy in the future. We
+ will do so only after consulting with the public Mozilla community,
+ in order to ensure that all views are taken into account.</li></ol>
+
</div>
<p>This policy applies only to software products distributed by the
@@ -227,26 +232,30 @@
to related questions.</p>
<div class="important">
-<p>Version 0.9, February 11, 2004. Extended requirements to cover all
+<p>Version 0.10, Feburary 16, 2005. Dropped "fully" from financial
+disclosure requirement. Added section on revising the
+policy. Corrected date references on version history.</p>
+
+<p>Version 0.9, February 11, 2005. Extended requirements to cover all
CAs included with Mozilla products. Changed "independent and qualified
third party" to "competent independent party" and clarified that they
need to have information on CAs' operations. Added ETSI TS 101 456 and
102 042 as acceptable criteria. Changed language on financial
compensation to evaluators. Various other minor changes.</p>
-<p>Version 0.8, February 8, 2004. Clarified references to
+<p>Version 0.8, February 8, 2005. Clarified references to
"users". Added requirement for a CPS or equivalent document. Removed
reference to X509v3. Clarified that the MF could do its own evaluation
if it wished to do so. Added that requests without supporting
documentation will be rejected.</p>
-<p>Version 0.7, February 6, 2004. Tweaked language on "trust bits",
+<p>Version 0.7, February 6, 2005. Tweaked language on "trust bits",
"preliminary determination", "software products", etc., as
suggested. Added more information on how third parties will be
evaluated for competence. Added more language on what it means to be
an "independent" third party.</p>
-<p>Version 0.6, February 4, 2004. Changed conformance requirement to
+<p>Version 0.6, February 4, 2005. Changed conformance requirement to
use "acceptable criteria", currently defined as X9.79 or WebTrust.</p>
<p>Version 0.5, December 23, 2004. Added "WebTrust or equivalent"
