On 01/12/2009 01:08 PM, Rob Stradling:
Eddy, I apologize if I'm misinterpreting your response to Paul's last comment,
but I think you are suggesting that Mozilla could "hold a CA to doing
something" that is 'currently in the 'problematic practices'" wiki page,
purely because that wiki page is a document that is (you allege) "presented
to every CA for a while already".
If that is what you are saying, I disagree with you. The wiki page clearly
says (capitalization mine)...
- "POTENTIALLY problematic CA practices".
- "we do NOT NECESSARILY consider them security risks".
- "Some of these practices MAY be addressed in future versions of the
policy".
If Mozilla want to "hold a CA to doing something", then IMHO the first step
towards achieving this has to be to update the Mozilla CA Certificate Policy
to explicitly cover that "something".
I absolutely agree with you and in my opinion this is what should be
done - at least for some of those practices. However as I understand,
not everything is every time clear so cut to make it a policy, hence
there are problematic practices which are reviewed on a case-to-case
basis for every CA individually. Confronting the CA with this page early
on during the information gathering period makes the CA aware of
potential problems during the process. This is what happened for a while
now. I think that not every bit and byte must be listed in the policy,
but by-laws may exists to assist the intend of the policy.
Instead I think the policy should mention that such by-laws may exists -
as matter of fact section 4 deals with it more or less.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
