On 11/2/09 05:20, Frank Hecker wrote:
Ian G wrote:
The policy says, we need published information, *eg* the CPS.
Not, "CPS must be published."
Yes, exactly. We typically use the CPS and/or CP because almost all CAs
publish those documents; however there is no requirement that the
information published by the CA be in the form of a CPS or CP.
Speaking personally, I think think that it is good practice for CAs to
publish a CPS. If a CA has private information relating to detailed
internal processes that it does not wish to make public, I suggest that
it put such material in a separate "CA operations manual" that is
internal-only.
OK, I made some changes on the wiki and added these words:
https://wiki.mozilla.org/CA:Recommended_Practices#Recommended_practices
# .... (we rely on public documents only).
# If you do not publish the CP/CPS (not recommended), you will need
to publish an extract that summarizes the portions that are of most
interest to us.
This only reflects my understanding of the situation. Also, I recognise
that the words on the wiki already almost nailed it, so we are in danger
of bureaucratic freefall... Hack away...
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
