On 2/19/14 1:43 PM, Jan Schejbal wrote:
Am 2014-02-19 01:52, schrieb Kathleen Wilson:
- don't have external, third-party audits
I think the current policy for these is "do not let/keep them in the
root program", and I think that this policy needs enforcement, not changes.
Kind regards,
Jan
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"14. By "independent party" we mean a person or other entity who is not
affiliated with the CA as an employee or director and for whom at least
one of the following statements is true:
- the party is not financially compensated by the CA;
- the nature and amount of the party’s financial compensation by
the CA is publicly disclosed; or
- the party is bound by law, government regulation, and/or a
professional code of ethics to render an honest and objective judgement
regarding the CA."
There are included government CAs whose audits are performed by other
organizations within the same government.
Previously we have tried to tackle how to define and constrain
government CAs. (https://wiki.mozilla.org/CA:GovernmentCAs)
I think it is time to have this discussion again, and maybe this time
focus on identifying certain CA actions/behavior that can be used to
distinguish the CAs who should be constrained.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
