Eddy Nigg (StartCom Ltd.) wrote:
> I just would like to remind you about the promise made at the beginning
> of this year (at and after the conference call), that Mozilla will work
> at the CAB forum for alternative (and definition of equivalent) third
> party audit other than webtrust and/or implement its own alternative
> binding for Mozilla products only.
I'll consider myself reminded :-)
But how should that affect this current proposal to change the Mozilla
CA policy? As I noted in my previous message, I think requiring
compliance to the CAB Forum guidelines implies compliance with the audit
requirements of those guidelines, and those guidelines already allow for
the possibility of non-WebTrust audits. ("...or an equivalent for both
(i) and (ii) as approved by the CA/Browser Forum", to quote the relevant
clauses of section 35.)
We then have the following alternative options:
A. Change our policy to adopt language like I suggested in my last
message, and then separately work through the CAB Forum to get some
non-WebTrust audit programs approved by the CAB Forum as "equivalent" to
the WebTrust programs.
or
B. Try to come up with an alternative audit program ourselves, and
change our policy to allow that program to satisfy our own requirements
for EV certs, independent of what the CAB Forum does or doesn't do.
My personal preference is to go with option A. First, I don't want to
gate updating our policy on solving the problem of defining a
WebTrust-equivalent EV audit regime. Second, I would prefer that we use
the standard CAB Forum mechanisms to try and address this issue.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
