Eddy Nigg wrote:
On 02/05/2009 04:05 AM, Frank Hecker:
* In the near term I think we should make it a recommended practice that
CAs should revoke certificates whose private keys are known to be
compromised, as well as certificates for which subscriber verification
is known to be invalid.
Well, a recommendation is just what it is I guess...
I want to start with a recommendation, but not end with it. I want to
use the recommendation for two purposes:
* to have Kathleen start actively checking CPSs for revocation language
* to fine-tune the exact language in which we want to state a policy
requirement
There are likely some ambiguities and corner cases we need to worry
about, which is one reason why I'd like us to first get some experience
with what CAs are actually putting in their CPSs.
If however you intend to have any effect on the desired behavior, than
Mozilla must make those things a requirement.
I agree. I think this is a case where it definitely makes sense to have
this be a requirement. I also think the case of revocation on key
compromise is relatively clear, and I don't anticipate any major
problems finding policy language to deal with it.
However I'd also like us to consider including a requirement that CAs
revoke certificates when it's clear that validation of subscribers was
not done or was done wrong, like in the Comodo/CertStar problem or your
StartCom bug. I don't quite know right now exactly how to word such a
requirement properly, and I'd like to "beta-test" some language and see
how it compares to what CAs are claiming in CPSs.
Or Mozilla must create by-laws to the policy which may change more
frequently.
I think it is certainly reasonable to update the policy on an annual
basis, and I think that should be our minimum target. We could also
update it more frequently, but I don't want to be modifying it on a
monthly basis.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
