Ian G wrote, On 2009-02-13 01:46:
> Don't fixate on the title. CAs generally have some set of documents
> that are internal / not published, and some set of documents that are
> published. If someone like the WebTrust people come along and say "CPS
> must be published" then the CPS gets thinner and some other document
> gets fatter...
>
> The ETSI group just said it the other way around, they want one
> all-inclusive document for ease of auditing,
Seems to me that this is another case where we're having problems
because we're using a term ("CPS") which is widely understood, but
for which more than one meaning exists. As long as we continue to
use it without defining it, we will have problems of people seeming
to agree, but having different understandings of what they've agreed
upon, resulting in apparent breaches of the agreement down the road.
Maybe we should stop using the term CPS, and invent our own term and
define it carefully in the policy. I've never seen a definition of
the term "CPS" anyway. My understanding of its meaning is based on
having read various documents that claim to be CPSes. I think that's
true for many people. So Let the definition of this term we coin be
exactly what we require in a document, or set of documents, for
purposes of admitting a CA to the list.
Is that a way forward?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
