Re: Getting to a 1.0 CA certificate policy

Tue, 22 Feb 2005 09:32:50 -0800 

Frank Hecker wrote:

A quick note before I go off to work: I'm about to conclude that modifying draft 10 of the CA cert policy to mandate additional CA requirements is not going to work; in the words of the IETF we have neither "rough consensus" nor "working code". Therefore I'm at present planning to move forward as follows:

I'm going to use draft 10 as a base, with the following proposed additions:

* Modify clause 6 ("We require that all CAs...") to add a final paragraph as follows (or make this a new clause 7):

  In addition, we reserve the right to not include a CA's
  certificate(s) in cases where we believe that doing so would
  cause undue risks to users' security *or* cause technical
  problems with the operation of our software.



I would make that even more lopsided in MF's favour.
Something like "

 "We reserve the right to not include a CA's certificate(s)
  for any reason and in our sole determination.

 Cases may include but are not limited
 to cases where we believe that doing so would
 cause undue risks to users' security *or* cause technical
 problems with the operation of our software."

Or something.  (I haven't the URL in front of me, I should
check that to see it isn't already there...)


* Add a new clause 12 as follows:

  12. We will appoint one or more persons to make decisions
      on our behalf to evaluate CA requests and make decisions
      regarding them. CAs or others objecting to a particular decision
      may appeal to mozilla.org staff, who will make a final decision.



Might help to give that person(s) a name.

"MF will appoint a 'CA coordinator' to make decisions
regarding all matters concerning CAs  ..."


That's it for now. My plan is to make the above changes in draft 11 (tmomorrow if I have time), and then submit that to the Mozilla Foundation for final approval a day or two after that. 


Good stuff!

iang

--
News and views on what matters in finance+crypto:
       http://financialcryptography.com/

_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to