Kyle Hamilton: > I tend to disagree. > > I think that Mozilla needs to grow enough balls to boot out anyone who > doesn't continue to adhere to the standards for inclusion after > approval.
The first step is to receive a firm commitment from the CA. Before kicking a CA out of NSS, Mozilla should make clear what the rules are and what it expects. Right now it isn't anywhere clear nor has any CA made any commitments toward Mozilla. All that happened is that some CAs underwent an inclusion process. > This CANNOT be a one-time requirement. Exactly, that's why I suggested that CAs sign on the dotted line. > > Mozilla's afraid of losing marketshare? How about putting something > in NSS to inform the users of a previously-trusted certificate why > it's been removed? A warning dialog saying something like "For your > protection, this email certificate's trust has been revoked because: > this CA has delegated its full trust to another CA which has been > shown to not adhere to the same level of identity verification for > email certificates. We cannot guarantee that the person who sent this > is the person that the certificate states that it was issued to." > would be very useful here. I doubt that removing the trust bit for email from a CA has such an impact...most care only for server certs anyway. > > The system as it stands only works as long as all parties behave... > and there isn't anywhere near enough of a means (or desire :P) to > enforce the rules when they don't behave. This, more than anything, > is what this thread is about. This, more than anything, is what needs > to be resolved. Well, there is also a problem with knowing and reporting of "misbehavior". Whatever came up lately - including this issue - was by pure chance. I bet my hat there are many more which should receive attention. Hence having a CA sign on to the Mozilla CA policy can have legal consequences and prevent it from happening in first place. It also highers awareness when a CEO has to commit to it. > > As well -- is there any system, at all, in place for reviewing changes > to CPSes to included roots? Or do those changes slip through without > review (like Thawte's v1 to v2 to v3 CPS updates seemed to)? No, currently there is no such thing. Once upon a time a CA will have a new root or EV upgrade and then comes its turn perhaps. > > Auditors always audit against the last-issued CPS. That we know that > they passed an audit with an acceptable CPS and continue to pass their > audits is not enough. If the CPS updates aren't evaluated and > negative changes acted on, the system is easily subverted Yes, governing is difficult. But perhaps Mozilla should start in smaller steps like the one I suggested. It would at least provide the base for further action. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
