Gervase Markham wrote: > My proposal is that we accept such CAs, but use this technical > capability to restrict them to signing certificates for domains under > the appropriate TLD.
Having considered the discussion, it looks like this idea is not going to fly. Instead, we will do what Frank suggested, that is, to require: A) An audit to an approved standard, as listed in policy section 8 B) Performed by a competent and independent body in which we have confidence, with criteria listed in policy section 9 and 10 C) Which makes a public statement to that effect. There is no reason that the body in B) should not be a government or government-appointed, as long as we continue to have confidence in them. This confidence is going to be necessarily subjective (such that I might trust the government of Switzerland, but not that of North Korea); I have no problem with that. Of course, we are allowed to refuse any CA for any reason under policy section 4. I will revisit the applications of the CAs in question bearing these points in mind. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto