On 11/18/2008 05:14 PM, Ian G:
Eddy Nigg wrote:
I believe that the policy (and/or other relevant policy guiding
statements) should be clear in respect what Mozilla requires from the
CAs.
It's a nice ideal, but I wonder myself whether it can be achieved. This
is one of the reasons why we have ended up with the race-to-the-bottom
in secure browsing; necessitating (?) the EV thing, etc etc.
It's not an ideal, but very real, implementable and actually done not
only here, but also elsewhere. The trend is not a race to the bottom,
but higher the overall level of quality of PKI after we reached the
bottom - for the good of all parties involved.
I'm not in favor to invent unnecessary requirements, but a sound clear
reasonable policy with the basic security requirements covered. This was
the intention of the Mozilla CA policy in first place which is very
reasonable. Of course not everything was understood back then and it's
time to fix a few points.
Not that I disagree with your central point that it *should be* clear,
it is just that I wonder if it can be clear.
Of course it can and I don't see any reason whatsoever why not.
I think if the subroots were managed by the lead CA, and the CPS said
they were under the same set of policies, then there would be little
point in requiring separate audits.
Exactly. As opposed to sub roots which aren't operated by the CA, not
physically at the same infrastructure and not under the same
responsibility. An audit must cover the full infrastructure even in case
the sub ordinate CA is elsewhere.
The problem then being that between those two points there is an awful
lot of space.
I don't think so and a policy requirement can be clear-cut. More or less
in one sentence.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
