At 11:16 AM +0200 1/13/09, Eddy Nigg wrote: >On 01/13/2009 10:15 AM, Rob Stradling: >>Eddy, I do think that the Mozilla CA Certificate Policy should cover >>*all* "actual" problematic practices. In this particular case, I think that >>a blacklist of unsupported/non-allowed/not-recommended algorithms and/or a >>whitelist of supported/allowed/recommended algorithms would be very useful >>information for the CAs. > >Useful yes, up to certain extend. If there is too much information in the >policy, it will start to be problematic.
For whom? Most CAs run businesses where written policies are the norm. >The policy shouldn't be changed every here and now and I think this is the >position Frank represents too. Where did Frank say, or even hint, that? >>If Mozilla ever does decide to pull a CA's Root for whatever reason, wouldn't >>it be so much better if Mozilla could say to them... >> "CA X, you have no excuse. You have clearly violated clause N of version >>Y.Z of the Mozilla CA Certificate Policy, which you had previously agreed to >>adhere to" >>...rather than... >> "CA X, you took your eyes off the ball. You really should have been >>following all of the discussions on mozilla.dev.tech.crypto more closely and >>assuming that any opinion expressed might become Mozilla's official policy at >>any moment. And you really should have assumed that violating >>any 'potentially problematic practice' could give us cause to pull your Root >>at any time" >>? > >I simply don't think this is how it works. Others disagree. The business model for most CAs are different than yours, it sounds like. This sounds like you want the pulling of a CA to be done informally, outside the realm of a formal policy. That's fine, but others may differ. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
