Re: how do we agree?

Fri, 13 Feb 2009 07:56:45 -0800 

On 13/2/09 16:15, Ben Bucksch wrote:


For reference, Ian added, and Eddy reverted:

(old text)
The CP/CPS should be publicly available from the CA's official web site
(added text)
(we rely on public documents only).
If you do not publish the CP/CPS (not recommended), you will need to
publish an extract that summarizes the portions that are of most
interest to us.
Fine, whatever. Neither text makes the publication of the CPS obligatory, so they are both "accurate" and we are just quibbling about the marketing of points of view, and how much info we give to the poor Europeans. This is not worth a wiki war... 



First of all I think we should edit this document only after some sort
of agreement here. I think we haven't finished discussion concerning
this issue yet, can you hold back for a minute?



Nope.


Ian, I also disagree with your change. CPS IMHO must be public, period.
It's important for "Relying parties". The CPS is the only thing that
shows what the CA actually does and warrants to relying parties.
Even more so must the "recommended practices" be that it's public.



I agree that it is bad and/or annoying.
But it isn't me that sets the criteria, it is in this case ETSI, and the *policy* clearly says that ETSI is acceptable, and apparently ETSI say non-publication is ok. So you either have to take it up with ETSI (good luck) or you have to add a new policy or practices point which says that regardless of ETSI, the CPS must be published. 



I agree with Eddy's revert, and disagree that you just unilaterally
change the recommended practices to the worse, be it a wiki or not.



!


Then, you wrote:
> Correction: I see that Frank doesn't want to
> require the CPS be public.
> As I said, I disagree.
> But even if we don't *require* it, it doesn't mean we shouldn't
> *recommend* publishing it.
On that I agree! I recommend that almost all documents be published, frequently and loudly. Exceptions have to be justified *and documented*.
I would dearly love to see full disclosure here, as a principle. In both Mozilla's CA business, and in Mozilla in the large. But we've got no chance of getting that through so it's not even worth talking about. 



iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to