Frank Hecker wrote:
I have just posted draft 10 of the proposed CA certificate policy:
http://www.hecker.org/mozilla/ca-certificate-policy
Good stuff!
There are only two substantive changes in this version:
* I changed the language on disclosure of financial compensation
(i.e., of independent evaluators by CAs) to read "publicly disclose"
as opposed to "fully and publicly disclose"; in other words, I dropped
the word "fully".
My motivation was to make it clear that we don't want and need to see
a fully-itemized disclosure statement (e.g., "$5 for lunch at
McDonald's" :-), we just need a statement about the overall
compensation (e.g., "$2,000 for expenses incurred during the
evaluation").
Makes sense.
* I added a section discussing revision of the policy, and noting that
such revision would be done only after public discussions (similar to
what we're doing now).
Good!
At this point I face a decision: to try to revise this policy further,
or to go ahead with the current draft as a reasonable 1.0 policy, with
further work pushed to a 1.1 version.
My personal opinion is that the current draft does a good job of
codifying and clarifying the current practices that I've been
following, as well as allowing for us to incorporate new practices
like the use of volunteer evaluators. On that basis I would be
comfortable submitting this draft (or a very slightly tweaked version
of it) to the Mozilla Foundation for consideration as the official 1.0
policy.
I would agree with this. It needs fresh review, and
the group that has reviewed it so far has said lots
already ... you will get far more value now by finding
people who haven't seen it before and getting some
feedback from them.
(And, as there are some outstanding issues as you
raise them, I suspect they will get some airplay...)
However, this draft does not address some of the larger issues that
have been raised. In particular, as noted by Nelson Bolyard among
others, the proposed MF policy as written requires that CAs be
evaluated to confirm that their practices match their own policies and
assertions (e.g., as expressed in the CPS, CP, etc.); the proposed MF
policy does *not* go beyond that to attempt to put requirements on
those CA policies, for example, to require particular assurance levels
for CAs issuing particular types of certificates.
Should we attempt to change the policy to reflect these larger issues?
There are lots of fundamental reasons why the above
notion of looking for commonality in CA statements is
unlikely to work. And, try as I might, I can think of no
reason, nor theory nor example that shows it would
ever work.
So I shall try to briefly suggest some of the key reasons
why it won't work:
a. getting a group of CAs to cooperate on a high standard
brings in the possibility of cheating. The one who cheats
is rewarded. The way to overcome this (classically) is to
form what is called a cartel. But, that is an unstable force,
and the ways to make it stable are ... not pretty.
b. basic competition theory suggests that companies try
to compete on all fronts ... including quality. In this sense,
the basic desire of a company is to discriminate (that's the
technical marketing term) its product against everyone
else's. Setting a standard works against that.
c. Competition theory also suggests that one way to raise
profits is to raise barriers to new entrants. If a group of
strong players can force over a standard, then it creates
a costly way for new entrants to come in, and the insiders
then can raise prices. (Ref: Porter.) In this world, standards
are a 'bad'. This approach trumps b., above, if they companies
can arrange it. Hence the concept of anti-trust.
d. Safety is one way to look at it. The issues with safety
are that a) nobody wants to pay for it unless all pay for it, b)
nobody wants some other player to set the rules, so it has
to be 'the government' and c) nobody knows how to do it
anyway (in the security field, that is). All this leads to a
tendency the 'safety' field to become a government field.
e. In general, there is now a body of economics thought
(Mises, Buchanan) that says that the standard result of
government is worse off for everyone.
Now, you'll probably say that's just economics. So I'll flip
that around and ask: is there any reason or theory to show
that it would work? Is there any analogue anywhere in the
world that will make this notion of shared policies among
CAs fly? I don't think there is. Nor is there any evidence
to suggest that within the CA field they've ever really
shown any tendency to do this. They've been at it for 10
years, and nothing.
As usual, I welcome your comments on this issue, and in particular
your opinions as to whether I should take this draft forward to the
Mozilla Foundation for consideration as a 1.0 policy.
Go for it!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
