Gervase Markham wrote:
> My proposal is that we accept such CAs, but use this technical
> capability to restrict them to signing certificates for domains under
> the appropriate TLD.
Having considered the discussion, it looks like this idea is not going
to fly. Instead, we will do what Frank suggested, that is, to require:
A) An audit to an approved standard, as listed in policy section 8
B) Performed by a competent and independent body in which we have
confidence, with criteria listed in policy section 9 and 10
C) Which makes a public statement to that effect.
There is no reason that the body in B) should not be a government or
government-appointed, as long as we continue to have confidence in them.
This confidence is going to be necessarily subjective (such that I might
trust the government of Switzerland, but not that of North Korea); I
have no problem with that. Of course, we are allowed to refuse any CA
for any reason under policy section 4.
I will revisit the applications of the CAs in question bearing these
points in mind.
Gerv
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
