On 12/13/2008 01:15 PM, Ian G:
2. OTOH, we do have a Mozilla policy (unwritten perhaps) that all CAs are the same.
This is correct to the extend that all CAs must conform to the minimum requirements of the Mozilla CA policy. This is the lowest denominator of all CAs.
It should apply even if the user never saw it, like an open source licence. It should set liabilities between CA and end-user.
To some extend this is common practice and relying party obligations are usually limited to what the software does anyway already (e.g. check expiration, revocation etc.)
If such a thing existed in Mozo's policy, it would probably sweep away a lot of the woes circling around the above situation.
For the evaluation of CAs I don't think that's sufficient, however as Frank already suggested, for the RP a statement in the form of the proposed PKI Disclosure Statement could be very useful.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
