Frank Hecker wrote: > I'm sorry, I'm a bit confused here: It appears that you are agreeing > that it would be a good idea for the policy to include some minimum > requirements for CAs in terms of their policies (i.e., avoid the > scenario Nelson mentioned where we're simply asking CAs to provide > evidence they're following their CPS, no matter how loose), but you're > disagreeing on what those minimum requirements should be. Am I correct? > If not, could you clarify?
My point was that some root certificates include class information, but Nelson pointed out classes aren't standardised so this can be miss leading and requires the users to read each an every CPS to find out what each and every CA means by it. So this then leads one to consider how many of these claims are misleading, just because a CA has class 3 certificates for xyz, is this the same thing as another CA, so where does this lead the end user if the same terms aren't used in a consistent manner? do they blame the browsers for allowing these inconsistencies to creep in their browsers? do they blame web trust for auditing the CA and having these statements? At a guess, I don't they won't be blaming the CAs or Webtrust, after all how many users even realise about webtrust or CAs unless they need a certificate? All the end user sees is the browser says there is a lock so they must be trustable... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
