David E. Ross wrote: > In the existing policy, I see only brief mention of removing a > previously approved root certificate (the phrase "to discontinue > including a particular CA certificate in our products" in the first > sentence of Section 4). I think we need to expand upon that issue. > > Examples (plus "and other reasons") should be given for why an approved > certificate loses its approval. > I suggest that we create a new document or extension for this, like a guidelines for reasons for removal, procedures to follow, steps to perform after a removal is approved etc. I think that bug https://bugzilla.mozilla.org/show_bug.cgi?id=413375 deals with this also. > The administrative process for removing a certificate should be > described. For example, will a Bugzilla report be issued? Yes, I believe that's the correct way, as with inclusion requests. > How long a > review should be tolerated between proposing the removal and the approval? > I think there should be some criteria in the guidelines which define this, depending on the severity of the issue and conformations of the reasons. Under normal circumstances I suggest to include a comment period as well where objections could be raised. The same process as for inclusions, just with the reverse effect. > To protect uses who still have versions of Mozilla products (and related > products) with a removed certificate, the policy should provide for > listing such certificates along with the reason for their removal. Both > a permanent list on the Web and notices at both > <news://news.mozilla.org:119/mozilla.announce> and > <news://news.mozilla.org:119/mozilla.dev.tech.crypto> should be used. > I think the http://www.mozilla.org/projects/security/certs/ would be the correct location for this. > Perhaps the policy should authorize a press release. > > Additionally an announcement on the list you mentioned above could be made. I think to release a PR would be too much perhaps...
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
