At 4:53 PM +0100 5/30/07, Gervase Markham wrote:
>Gervase Markham wrote:
>>  My proposal is that we accept such CAs, but use this technical
>>  capability to restrict them to signing certificates for domains under
>>  the appropriate TLD.
>
>Having considered the discussion, it looks like this idea is not going
>to fly. Instead, we will do what Frank suggested, that is, to require:
>
>A) An audit to an approved standard, as listed in policy section 8
>B) Performed by a competent and independent body in which we have
>     confidence, with criteria listed in policy section 9 and 10
>C) Which makes a public statement to that effect.
>
>There is no reason that the body in B) should not be a government or
>government-appointed, as long as we continue to have confidence in them.
>This confidence is going to be necessarily subjective (such that I might
>trust the government of Switzerland, but not that of North Korea); I
>have no problem with that. Of course, we are allowed to refuse any CA
>for any reason under policy section 4.

Thanks, this seems like a good resolution. If you are codifying it 
somewhere, I propose changing "the government of Switzerland, but not 
that of North Korea" to "a well-known body or organization, but not 
that of a brand-new one or one that already has a bad reputation".
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to