C.J. Adams-Collier wrote: > As Eddy said, discussion of ammendments to the Policy are a bit off topic > for threads about certificate inclusion.
Thanks for your suggestions. I've included some quick comments below. As a general comment, I think it would be a good idea to create a document for use by CAs, explaining in more detail the requirements of our policy, and providing our recommendations on how to best satisfy the various concerns we might have regarding the CAs' applications for inclusion. My personal preference would be to create this document first (because I think it's badly needed), and then to see which parts of the document might make sense to include in the policy itself. (Note that we could also incorporate such a document in the policy by reference.) > 1) This policy does leave a loophole in regards to domain ownership. It > seems to me that the policy should make continued inclusion contingent on > continued domain ownership by the entity originally requesting inclusion. I'm a bit confused here. Are you using the term "domain ownership" to refer to the general question of who owns the CA? If so, I agree that transfers of ownership and related events are issues that we should look at for a future version of the policy. > 2) Since there is a period of public review before CA inclusion is > confirmed, it seems that the required documents should be required to be in > a format viewable by the public. FWIW, in almost all cases I've encountered, CA-related documents have been in PDF format. If CAs provide documents in Microsoft Word format then we can ask them to provide another format instead; this can be part of the recommendations document I mentioned above. > 2c) I recommend that we require that documents be presented in the current > "lingua franca," and that their content be encoded as utf8 By "lingua franca" I presume you mean "English". I think this point is debatable. In the past we have had at least one or two country-specific CAs that had CPs or CPSs only in their native language, not English; in those cases I got machine translations of the relevant CP/CPS sections and confirmed my understanding with native speakers of the language. I agree that it is preferable to have English versions of all documents, but at the moment my inclination is to make this a recommendation, not a mandatory requirement. (Not having English versions does delay processing a CA's applications, of course, and I have no problem with giving higher priority to CA applications that provide full documentation in English.) > 3) There is currently no definition of how recently an audit must have been > performed by a trusted third party, only that one must have been performed. This is an issue worth discussing; I don't have any finished thoughts on it right now. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
