Gervase Markham wrote:
> My proposal is that we accept such CAs, but use this technical 
> capability to restrict them to signing certificates for domains under 
> the appropriate TLD.

Having considered the discussion, it looks like this idea is not going 
to fly. Instead, we will do what Frank suggested, that is, to require:

A) An audit to an approved standard, as listed in policy section 8
B) Performed by a competent and independent body in which we have
    confidence, with criteria listed in policy section 9 and 10
C) Which makes a public statement to that effect.

There is no reason that the body in B) should not be a government or 
government-appointed, as long as we continue to have confidence in them. 
This confidence is going to be necessarily subjective (such that I might 
trust the government of Switzerland, but not that of North Korea); I 
have no problem with that. Of course, we are allowed to refuse any CA 
for any reason under policy section 4.

I will revisit the applications of the CAs in question bearing these 
points in mind.

Gerv
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to