Frank Hecker wrote:
A quick note before I go off to work: I'm about to conclude that modifying draft 10 of the CA cert policy to mandate additional CA requirements is not going to work; in the words of the IETF we have neither "rough consensus" nor "working code".
working code? We have plenty of working code. No additional working code is needed to place a "floor" on CA requirements.
Sorry, I was speaking metaphorically: By "working code" I mean a clear set of "minimum assurance" criteria which we can use to sort CAs into the "good -- approve" and "bad -- reject" categories.
The underlying idea here is that IMO it will be difficult, nay impossible, to write and (especially) implement the policy without making subjective decisions, either in general or about a particular CA.
Well, it seems that after a year, we've come full circle. IIRC, one of the reasons for adopting the webtrust model in the first place was to get mozilla OUT of the business of making subjective decisions. Why do you now wish to reverse that?
I'm not reversing it, I'm simply acknowledging that there will likely always be a set of cases where subjectivity will still be called for. Adopting WebTrust, X9.79, TS 102 042, etc., greatly reduces the number of such criteria we have to come up with and the corresponding decisions we have to make, so I think it was useful to include them, as opposed to going off and coming up with our own criteria on how CAs should operate. However there is still a grey area and I think it's going to be hard to further reduce it.
You wonder if this is merely a "good thing" or if there is real cause for concern. There is real cause for concern. I will write you privately about it.
And (without identifying the exact nature of your concern) I will repeat what I wrote to you, which is that I find it difficult to figure out from a policy point of view to exclude the particular case (or cases) you're concerned about, without introducing an element of subjectivity that amounts to saying "we don't think this is a good idea, even if everybody else -- auditors, subscribers, relying parties, whoever -- have signed off on it".
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
