I'm going to use draft 10 as a base, with the following proposed additions:
* Modify clause 6 ("We require that all CAs...") to add a final paragraph as follows (or make this a new clause 7):
In addition, we reserve the right to not include a CA's certificate(s) in cases where we believe that doing so would cause undue risks to users' security *or* cause technical problems with the operation of our software.
* Add a new clause 12 as follows:
12. We will appoint one or more persons to make decisions
on our behalf to evaluate CA requests and make decisions
regarding them. CAs or others objecting to a particular decision
may appeal to mozilla.org staff, who will make a final decision.Language needs to be tweaked for style, etc., but this should give you the general idea.
The underlying idea here is that IMO it will be difficult, nay impossible, to write and (especially) implement the policy without making subjective decisions, either in general or about a particular CA. Therefore I believe it's necessary to acknowledge that in the policy, to give us (and especially me, if I'm making the decisions) the "wiggle room" necessary to address potential concerns.
In particular, I intend the added language in clause 6 to address the concerns of Nelson and others about rogue or incompetent CAs "slipping through" based on meeting the mere letter of the requirements (e.g., a CA with an extremely loose CPS attested to by an auditor willing to take the money and run, or a CA that generates certs that crash or otherwise hork up our software).
However if you're going to introduce subjectivity (which I think is inevitable) then IMO you also have to accompanying that with transparency and accountability, so that a) you know what's going on with regard to the decisions that are taken, and b) you have a channel to make complaints if you think a decision was botched.
I think transparency is already adequately addressed in the policy; see for example clause 2 ("public process"), clause 6 ("publicly disclose", "published criteria"), clause 8 ("sufficient public information"), clause 9 ("publicly disclosed"), and clause 13 ("consulting with the public Mozilla community"). However the policy did not make clear who would be making decisions and how to complain about them, which is why I added the proposed new clause above.
(In practice we should add a link to some other page like the module owners page to identify the actual person making decisions, whether me or someone else.)
That's it for now. My plan is to make the above changes in draft 11 (tmomorrow if I have time), and then submit that to the Mozilla Foundation for final approval a day or two after that.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
