On 27/12/08 13:43, Eddy Nigg wrote:
On 12/27/2008 02:16 PM, Ian G:
Indeed, this is the "Verisign buyout model"; outsource something new,
get huge, get bought out by Verisign.
What has that to do exactly with what Paul agreed to?
It doesn't matter in business principle whether it outsources a function
to a reseller, to its employees or to the government.
Of course it does. Besides that an employee isn't outsourcing, he is
part of the company. Or one might ask, why are certain functions never
outsourced to a third party?
E.g., employees are sometimes subject to various criteria such as
background checking.
Or perhaps lets start to outsource the CA
root key responsibilities as well then...
This is already done. It is common practice to outsource the security
model of the root key to something called a HSM which is supplied by a
manufacturer, which again likely outsources its security criteria to
another party, for example CC.
Is there a criteria anywhere that says or implies "The CA has not
outsourced critical function X to an external agent?" Can anyone recall
such a statment?
Yes, the some extend Mozilla does that already today with the
"Problematic Practices". For example auditing of intermediate CAs
shouldn't be outsourced from the auditor to the CA (it's just the other
way around).
They are not criteria nor policy. If in the future they are to become
criteria or policy, let's propose them?
And if there is no such criteria we might still create and adopt it.
This is no precedence, there are other criterion already.
Yes, that was the question, to restate it: what criteria or policy exist?
that a popular incentive is to generate opportunities for business
revenues.
So? Mozilla really shouldn't care about the business revenues of some
CAs. How is that relevant?
Well, a normal lesson of business is that we can't get business people
to agree to something if their revenues go down... PKI is business only
(a frequent complaint, who speaks for the user?), and Mozilla has to
live in this business world.
Either way, when you get serious and propose a chance to a criteria or
policy, we have to expect that all will consider the revenues question.
Hence, I predict there are very few restrictions on outsourcing.
... Specially in light that it's a
core requirement of the Mozilla CA policy.
Well, with respect to desires and so forth, the words that matter are
the ones that are in the policy. It says:
"13. In addition to the requirements outlined above,
*we also recommend that* ..."
If there is a move to make that recommendation into a requirement, let's
hear it.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
