On 12/1/09 12:08, Rob Stradling wrote:
> If Mozilla want to "hold a CA to doing something",
Agreed, right now, Mozilla has no effective tools to hold anyone to
anything.
I would suggest we think in terms of "dispute resolution." This is more
general than "Mozilla holds a CA to something" but the result is more
robust, IMO.
I posted my view of what this would be 23rd december.
Question then is; do people feel comfortable about posting the message
of 23rd December as a "dispute resolution page" on the wiki under
something like /CA:disputes ?
iang
minor notes:
1. Because such guidance has legal ramifications, I'd say Mozo has a
veto on this suggestion, regardless of outsider's views and desires.
2. one practical question is #3, the precise name of the "owner".
3. I should point out that I tried to strictly reverse-engineer the
current situation, not re-engineer it. I think we should document where
we are right now; think about it, and then advance that.
On 23/12/08 14:58, Ian G edited:
1. How to file a dispute against Mozilla and/or a CA. This seems fairly
easy; file a bug in bugzilla and mark it as already described here:
https://wiki.mozilla.org/CA:How_to_apply . (With mods: Severity: as
appropriate.)
2. What is the practice on revocation or un-trusting on roots? This is
is perhaps a headline case of a dispute, so possible merits its own
notes. Frank has suggested the test:
a. there is a clear and present danger to Mozilla users, or
b. to punish a CA, and/or to deter others.
I would suggest that (b) be modifed slightly to give it a basis, which
in this case might be "for breaches of policy or practices". The Policy,
pt 4, gives the authority, as well as some examples, and adds another
test case:
c. where certificates cause technical problems with mozo software.
3. How to resolve a dispute. This is a Mozilla action & responsibility.
Reverse-engineering and referring, I would suggest this as a teaser:
a. The CA certificate "module owner" at Mozilla foundation is
responsible. Ref, the policy, pt 15.
b. The dispute is investigated and ruled on by module owner.
c. The ruling is listed in the bug report above.
d. Many disputes will be dealt with by communication, and no ruling will
be required. This will create a default "closed, no action" ruling.
4. Finality. What happens if we disagree with the decision of the module
owner? In the policy, it says "CAs or others objecting to a particular
decision may appeal to mozilla.org staff, who will make a final
decision." Ref, policy, pt 15.
I would wonder about this; google suggests that "staff" is as listed here:
http://www.mozilla.org/about/staff
but that seems out of date. Also, due to the absence of this forum in
the public eye, I doubt it musters the credibility we need in dispute
review where the legal and contractual significance is high. E.g., is
there any way we can review the decisions they made in the past?
There are several possibilities:
(i) Ruling is final.
(ii) Mozilla.org staff, policy, pt 15.
(iii) Review by board of Mozilla Foundation.
(iv) Review by some independent party.
(v) Review by forum at law: courts, or Arbitrator.
Personally, I would plumb for (iii) and suggest the Mozo Foundation
board as the next step. It is expensive, but available. The directors
already have fiduciary responsibility, and can thus deal with the
significance. It is also aligned with the review of the manager
concerned, the policy and the general contractual issues.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
