Eddy Nigg (StartCom Ltd.) wrote: > Perhaps this is somewhat premature, but I nevertheless would like to > suggest a path for implementation and practical steps for implementation > of the multi-level proposal we put forward. Actually what I want to > know, how this could and would be implemented and here are my thoughts: > > - Once and if Mozilla comes to a decision concerning our proposal, the > first step would be most likely to extend the Mozilla CA policy as a new > draft. > - The new Mozilla CA policy draft would be open for review and > discussion for a certain period (Guess this is how it is done??). > - The policy would take effect after this period (Pending some vote or > something??). > - Support for the OID detection would be implemented in the NSS library. > > - At this stage I would suggest to implement a small text field in the > certificate viewer which would show the level assigned to the > certificate if it's found. This text field would be only visible, if a > special flag in the config is turned on (by default off). This would be > mostly used by CAs and developers (UI?) to start the implementation of > the OID and testing of it by all sides. > - Last step, the UI implementation of the indicators (whatever that means). > > Is this the way things would be done at Mozilla for the implementation > of this proposal?
I think you need to investigate and report on the feasibility of your proposal. In particular, I think you ought to find out what is the likelihood of either: a) mozilla agreeing to do all this evaluation of their CAs, or b) a significant percentage of the CAs agreeing to do this as self-evaluation. I suspect neither of those has very high probability. Consider: - I'm pretty sure mozilla foundation wants to stay out of the CA judgment business. Executive Director Frank Hecker has consistently said so. - Mozilla's market share just isn't high enough any more for it to be able to impose this on the CA industry. The CA industry has been wrestling with this issue for over 2 years now, and the best they've done so far is to come up with the EV proposal, which still isn't approved by the full CA/B Forum membership (even though most of them are now following it). _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
