As Eddy said, discussion of ammendments to the Policy are a bit off topic for threads about certificate inclusion.
1) This policy does leave a loophole in regards to domain ownership. It seems to me that the policy should make continued inclusion contingent on continued domain ownership by the entity originally requesting inclusion. 1a) This loophole could be closed if domain (and thus, CA) ownership transfer triggered a review of policy compliance or revoked inclusion outright. 1b) Perhaps QA should add an automated "continued ownership verification" step to its pre-release regression suite, if one does not already exist. 2) Since there is a period of public review before CA inclusion is confirmed, it seems that the required documents should be required to be in a format viewable by the public. 2a) I recommend that we advise applicants to review rfc2527 2b) I do not consider ".doc" files generated by "Microsoft Office Word" to fall into the category of "viewable by the public." This file format it is proprietary, undocumented, and has historically varied when "open" document readers are implemented. 2c) I recommend that we require that documents be presented in the current "lingua franca," and that their content be encoded as utf8 3) There is currently no definition of how recently an audit must have been performed by a trusted third party, only that one must have been performed. 3a) I recommend that we place a reasonable limit on how recently an audit must have been performed before accepting an application for certificate inclusion. 3b) I recommend that CAs be required to provide proof of a successful audit at reasonable intervals for continued inclusion. I leave it up to the list to decide what "reasonable" means. For reference, Washington State requires that electrical licenses be renewed every two years. 3c) I recommend that if an application process exceeds a year prior to approval, the applicant be required to provide proof of an additional successful audit prior to the continuation of the approval process Thoughts? C.J. -- moo. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
