On 11/25/2007 8:01 AM, Eddy Nigg (StartCom Ltd.) wrote: > David E. Ross wrote: >> On 11/24/2007 11:52 PM, C.J. Adams-Collier wrote [in part]: >> >>> 2a) I recommend that we advise applicants to review rfc2527 >>> >> RFC 2527 has been obsoleted by RFC 3647. >> >> The policy should also make clear that third-party certifications or >> attestations must be available from that third party. While such >> documents might be provided by the CA for information, it is necessary >> that they be authenticated by being sent (hardcopy) directly by the >> signator or viewed on the signator's Web site. In particular, secret or >> confidential audits should not be acceptable. >> > David, secret or confidential audit statements are not accepted by > Mozilla as far as I know. >
I know that. But it's not clear in the policy. My comment was actually prompted by the fact that the Director General of information systems security in the Government of France wanted to keep the CPS (not the audit statement) for its IGC/A confidential. (See bug #368970.) On further analysis, the second bullet under #6 in the policy needs to make clear that the CP and CPS must be public. Allowance could be made where content normally expected in either document is instead elsewhere, but that "elsewhere" must then be public. The current phrasing of that bullet leaves too much room for interpretation. Also, the fifth bullet under #6 of the policy should make clear that the required attestation must be available directly from the attester. The policy is not sufficiently clear that, while a copy of the attestation from the CA might be useful, it cannot be accepted as authoritative. Both of these comments on #6 reflect ongoing discussions in the bug reports for adding various root certificates to Mozilla. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
