On 01/13/2009 09:56 PM, Paul Hoffman:
We disagree here. I think it would be more problematic for Mozilla to be
accused of having hard-to-find policy changes than to simply change the policy
itself when needed.
I did not suggest that there should be "hard-to-find policy changes" at
all. Besides that, I believe that not each and every issue can and must
be listed in the CA policy itself and neither do I believe that changes
to the policy itself are "simple" nor should they be done every while.
The policy clearly states:
We reserve the right to not include a particular CA certificate in our
software products, to *discontinue* including a particular CA
certificate in our products, or to *modify* the "trust bits" for a
particular CA certificate included in our products, at *any* time and
for *any* reason. This includes (but is not limited to) cases where we
believe that including a CA certificate (or setting its "trust bits" in
a particular way) would *cause undue risks* to users' security
There is no need for any policy change nor is it hard to find either.
Mozilla is not a CA.
I never said it was. I was talking about Mozilla's partners in the trust anchor
pile, all of whom are CAs.
And I was talking about the Mozilla CA Policy in my response to Rob upon
which YOU replied to me. In particular I said that not every allowed or
disallowed algorithm must be listed in the policy. And not each and
every practice (which may be a changing target anyway) which would
*cause undue risks* to users' security!
I say this because I have now (twice) re-read all of Frank's messages and I do
not see him saying anything like you say he said.
OK, if I can find the time for it I'll search for it.
I have done so: Mozilla changes its inclusion policy, it informs everyone
affected by the policy change, and gives them a period of time to start
conforming. If a CA doesn't acknowledge that they conform, Mozilla pulls them
from the trust anchor pile.
As such I'm the last person having a problem with it. The key is to
"inform" the CAs, it doesn't have to be in the policy per se.
"Informal" is the operative word here. Many of us would prefer formal
approaches.
I'm not sure if this serves Mozilla and the CAs best, but I have no
problem with it either, go ahead!
It's all within the realm of the formal policy,
... that says "we will do things informally".
No, please re-read section 4 of the Mozilla CA Policy.
Yes, I can. You said: "I think that not every bit and byte must be listed in the
policy, but by-laws may exists to assist the intend of the policy."
Indeed and I even repeated it just above again. This isn't informal at
all as section 4 clearly states. By-laws or other documents may assist
Mozilla and the CAs. They are not informal, specially not if the CA is
made aware of it.
I am suggesting exactly the opposite.
Did you actually read what I wrote there?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
