Re: Updating Mozilla CA certificate policy to address EV certificates

Wed, 10 Oct 2007 09:56:51 -0700 

Frank Hecker wrote:
>
> I'll consider myself reminded :-)
>
> But how should that affect this current proposal to change the Mozilla 
> CA policy? As I noted in my previous message, I think requiring 
> compliance to the CAB Forum guidelines implies compliance with the audit 
> requirements of those guidelines, and those guidelines already allow for 
> the possibility of non-WebTrust audits. ("...or an equivalent for both 
> (i) and (ii) as approved by the CA/Browser Forum", to quote the relevant 
> clauses of section 35.)
>
> We then have the following alternative options:
>
> A. Change our policy to adopt language like I suggested in my last 
> message, and then separately work through the CAB Forum to get some 
> non-WebTrust audit programs approved by the CAB Forum as "equivalent" to 
> the WebTrust programs.
>
> or
>
> B. Try to come up with an alternative audit program ourselves, and 
> change our policy to allow that program to satisfy our own requirements 
> for EV certs, independent of what the CAB Forum does or doesn't do.
>
> My personal preference is to go with option A. First, I don't want to 
> gate updating our policy on solving the problem of defining a 
> WebTrust-equivalent EV audit regime. Second, I would prefer that we use 
> the standard CAB Forum mechanisms to try and address this issue.
I think everything you said in the previous post to the mailing list and 
the comment above makes perfect sense. Additionally I'd also agree on A 
as well as the preferred option should it be made possible. However I 
suggest we all agree on a plan and time line which would result in 
option B in case of failure of A.

Mozilla has voted in favor of the guidelines and some time has past 
since. I haven't been updated if anything happened in that direction, 
but supposed that nothing could be advanced as of now, we should define 
when/where/what happens if there is no solution found to the 
"WebTrust-equivalent EV audit regime" problem (your words ;-) ). Your 
option B could be a very likely solution in such as case.


-- 
Regards 
 
Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:          +1.213.341.0390
 

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to