At 4:53 PM +0100 5/30/07, Gervase Markham wrote: >Gervase Markham wrote: >> My proposal is that we accept such CAs, but use this technical >> capability to restrict them to signing certificates for domains under >> the appropriate TLD. > >Having considered the discussion, it looks like this idea is not going >to fly. Instead, we will do what Frank suggested, that is, to require: > >A) An audit to an approved standard, as listed in policy section 8 >B) Performed by a competent and independent body in which we have > confidence, with criteria listed in policy section 9 and 10 >C) Which makes a public statement to that effect. > >There is no reason that the body in B) should not be a government or >government-appointed, as long as we continue to have confidence in them. >This confidence is going to be necessarily subjective (such that I might >trust the government of Switzerland, but not that of North Korea); I >have no problem with that. Of course, we are allowed to refuse any CA >for any reason under policy section 4.
Thanks, this seems like a good resolution. If you are codifying it somewhere, I propose changing "the government of Switzerland, but not that of North Korea" to "a well-known body or organization, but not that of a brand-new one or one that already has a bad reputation". _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto