Gervase Markham wrote:
- Mozilla writes loads of code to detect each different type of CA
certificate and make sure that NSS knows what level it corresponds to
(or are we doing that bit by asking the CAs to include new OIDs?)
YES! Eddy explicitly said that. My "do this all ourselves" was just a
thought experiment, and marked as such.
As of today, CAs don't have to make any commitment concerning
adherence to the Mozilla CA policy and doesn't have to sign anything.
I think this is "interesting" to say the least. I suggest to let CAs
sign the Mozilla CA and a statement like: "By requesting a CA
certificate to be embedded in Mozilla software, the CA agrees to
adhere to the this policy in full..." and confirm to have read,
understood etc. of the same paper...Something for the lawyers
obviously, but I think it has to be done in some way.
Definitely something for the lawyers, in that it would fundamentally
change the relationship between CA and browser. Currently, we have no
contract, and so no obligation to continue including the cert. A
contract would probably have commitments both ways, implied if not
explicit.
No, it should be explicit that the browser has no commitment. After all,
it's mainly the CA gaining (it's the base of their business). If we
include their root, they have to promise to live up to our standards.
But that doesn't mean we *have* to include them forever or for a certain
period.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
