On 13.02.2009 16:56, Ian G wrote:
But it isn't me that sets the criteria, it is in this case ETSI, and
the *policy* clearly says that ETSI is acceptable, and apparently ETSI
say non-publication is ok.
FWIW, this is irrelevant. *We* require the ETSI. We can also require
additional requirements, like that the CPS is published.
or you have to add a new policy or practices point which says that
regardless of ETSI, the CPS must be published.
It already states:
"6. We require that all CAs whose certificates are distributed with our
software products:
...
* publicly disclose information about their policies and business
practices (e.g., in a Certificate Policy and Certification Practice
Statement);"
"14. To request that its certificate(s) be added to the default set a CA
should submit a formal request by submitting a bug report
<https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates>
into the mozilla.org Bugzilla system ...
...
* a Certificate Policy and Certification Practice Statement (or links to
a CP and CPS) /or/ equivalent disclosure document(s) for the CA or CAs
in question; /and/"
To me, that reads that the CPS (or whatever other document publishes the
practices, no matter how it's called, therefore the "equivalent"
wording) *must* be public.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
