Re: Quorum requirements for approval of CAs?

Wed, 11 Feb 2009 08:43:13 -0800 

On 11/2/09 02:19, Kyle Hamilton wrote:

That's a very good question.  The most important part of the answer to
it would have to be: don't discount what they say.



Right.


However, I have a suggested strategy for reviewers: don't limit your
review to only those trust bits that are initially requested.  This
way, if there is an amendment to the bug which requests additional
bits to be set, then we don't have to waste our time doing an entire
new review of the CP/CPS/public information to figure out if those new
trust bits are also appropriate.




You could also ask CAs to signal in advance in the docs of any changes 
coming up in the next year (especially before the next audit cycle) ?




I'm asking this because I think a template which includes a statement
of requirements would be an exceedingly good thing for people
undertaking reviews for Mozilla CA program inclusion -- and would open
up the process to people who have less interior working knowledge of a
CA.  This would also allow people who are otherwise untrained, but who
want to take an interest in their security, to understand what the
reviews entail and what Mozilla's priorities are.

(for example:

Please identify the section of the public documentation which
addresses each point below:

SERVER: Performs domain control verification
How does the CA perform this?  (if not performed, answer "N/A"; if not
described, answer "Unspecified")

...


Right, this is to set up a criteria for review purposes.  Note that (for 
various motives & historical reasons) we have now in place two reviews. 
 One is done according to pt 8 of the policy, and is done by a person 
according to pt 9.  This one is commonly called "the audit."  The other 
is done according to the Mozilla (evolving) checklist, and is done by 
Mozilla with help from outsiders.


I do not see that this is wrong, on the face of it.


But it is good to be aware of these things, because it raises 
complications, such as what the line between the two is, and whether one 
reviewer should cover the work of the other as well, etc.




iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to