On 12/2/09 20:46, Eddy Nigg wrote:
On 02/12/2009 09:04 PM, Ian G:
Eddy, you change your tune so fast you must be salsa dancer ...
I don't think so. I wondered if we need a list of 20 items in order to
clarify what a CA should provide in terms of audited documents. As I
already said, many times we need only clarifications - a big difference
to an unpublished CPS. Publishing the CPS is and should be the norm I
think, not sure what's the fuss about really.
OK, let me try and explain. The fact is that it is a common norm in
North America, but the European standards people -- presumably with
substantial input from stakeholders -- took the path that the CPS did
not need to be published.
So it is apparently not a norm, just popular in WebTrust circles. (I
prefer it and demand it myself, but Mozilla has to be all inclusive.)
Don't fixate on the title. CAs generally have some set of documents
that are internal / not published, and some set of documents that are
published. If someone like the WebTrust people come along and say "CPS
must be published" then the CPS gets thinner and some other document
gets fatter...
The ETSI group just said it the other way around, they want one
all-inclusive document for ease of auditing, perhaps recognising that
nobody ever reads the things, and auditors play a bigger part in Europe.
But that's speculation.
... (but many times I prefer not
to disprove your claims as it serves me other interests).
Perhaps you could share those other interests with all? Otherwise it
looks a little machiavellian!
One is the "WebTrust and friends." This is done completely independently
of Mozilla.
Mozilla doesn't perform an audit, Mozilla processes an inclusion request
of a CA root certificate into their software according to their own
stated policies.
Yes, that's why I wrote:
The second is the "Mozilla review" ...
Requiring the presence of the auditor for the second one is highly
problematic. It's easy to demand, sure. It makes everyone here feel
really good and righteous and comfortable, as we armchair-general our
way along to winning this paper war. But out where the real shots are
fired, the forces don't move around so easily as they do on a mapboard.
Nobody ever proposed at what you assume (again) above.
David wrote, and you supported:
* All documents supplied as evidence should be publicly available and
must be addressed in any audit.
In case of a
deficiency or other problematic issue which might come up every here and
now, solutions need to be found. It's not the goal of Mozilla to prevent
inclusion of CAs, but to reasonably assure that the to-be-included CA
conforms to its policy. Where is now the problem again?
Agreed. The problem perhaps is in the enthusiasm?
PS: So, just to clarify my own audit position here. As far as I see it,
it makes no odds to CAcert whether you add this requirement in or not,
because I have included or thought about or am aware of Mozilla from the
beginning, and probably won't be far away, afterwards. But that "Mozilla
first" approach only applies rarely. Perhaps only to CAcert, maybe
Startcom, dunno.
What are you talking about? Can you clarify?
Sorry, which part?
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
