Eddy Nigg wrote:
I suggest to Micorosoft and Mozilla to make it a policy
requirement of CAs to refrain from spam and sending of unsolicited mail.
In my original "CA certificate metapolicy" document from 2004
http://hecker.org/mozilla/ca-certificate-metapolicy
I wrote the following:
18. ... The [Mozilla CA certificate] policy should not arbitrarily
exclude CAs from consideration based on factors such as the CA's
size, reputation, *business practices not related to certificate
issuance*, profit or nonprofit status, geographic location, and the
like. [emphasis added]
As part of the discussion of the metapolicy, I wrote the following in
response to a comment from Ben Bucksch stating that he didn't want roots
included for a company "proven to be ruthless", and asking whether we'd
accept Microsoft as a root CA:
I wasn't proposing to ignore the CA's track record specifically
as a CA, I was referring instead to the CA's general reputation as
a business. To answer your hypothetical question: if Microsoft acted
as a CA, and if Microsoft properly did the things one would expect a
CA to do, then why should their root CA cert not be included? Whether
Microsoft is a "good" company or "bad" company in terms of other
non-CA-related business practices (for example, the sorts of things
that got them in trouble with the US and EU) is IMO of little or no
relevance.
http://groups.google.com/group/netscape.public.mozilla.crypto/msg/45e7135322b15f4c
So, consistent with my position back then, I am *not* in favor of our
imposing a policy requirement that CAs (or their resellers) not engage
in spamming. It's not directly relevant to a CA's performance as a CA.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
