A year and 10 days ago, I posted bug https://bugzilla.mozilla.org/show_bug.cgi?id=233458 as a test case for mozilla's new (not then developed) CA policy.
I'm not sure that the present draft passes that test.
Bug 233458 is a request to add a particular CA cert to mozilla's list. It listed the CA's policy statement of public practice, describing exactly what the CA would and would not do in the areas of protection of keys, authentication of applicants, etc.
It was an obvious rogue. Some would say it's absurd on its face. Nearly every statement in it was *intended* to raise a red flag. It was a test to see if mozilla's policy would incorporate *ANY* minimum standard of acceptable practice among applying CAs.
David E. Ross replied:
"I would not ask Mozilla users to trust this (or any other certificate authority) without some assurance (beyond self assertions) that its practices do indeed meet the standards generally advocated for CAs. "
Yet, I am not sure that the present draft requires any such minimum standards.
Today's policy draft includes multiple sets of criteria against which a CA may choose to have itself measured. Some of those sets do incorporate minimum "standards generally advocated for CAs", but others seem to allow the CA to define its own practices, and attest to nothing more than what (little) the CA said it would do.
I'm not sure, but I think I could publish a slightly more formal CPS that embodied the policy statements in bug 233458, and then could get WebTrust to audit my rogue CA and attest that, sure enough, my CA does exactly what (little) my CPS said it would do. It appears to me that the only barrier to accomplishing that goal is a few kilobucks. With that attestation in place, I think mozilla's policy would offer no other barrier to entry.
Is that good enough for mozilla?
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
