On 2/13/2008 12:03 PM, Eddy Nigg (StartCom Ltd.) wrote [in part]: > I previously wrote [also in part]: >> In the existing policy, I see only brief mention of removing a >> previously approved root certificate (the phrase "to discontinue >> including a particular CA certificate in our products" in the first >> sentence of Section 4). I think we need to expand upon that issue. >> >> Examples (plus "and other reasons") should be given for why an approved >> certificate loses its approval. >> > I suggest that we create a new document or extension for this, like a > guidelines for reasons for removal, procedures to follow, steps to > perform after a removal is approved etc. I think that bug > https://bugzilla.mozilla.org/show_bug.cgi?id=413375 deals with this also.
Bug 413375 deals primarily (if not entirely) with certificates that have technical flaws. The concern that is the basis of this thread is certificates whose CAs are behaving inappropriately. Either bug 413375 should be updated (including the summary) to expand its scope, or else a new bug report should be generated. Further, I think a formal policy is required, not merely a guideline. The brief phrase in section 4 of the existing policy that I cited should be deleted from that policy. Instead, we should have a policy on approving certificates (the current policy) and a new policy on disapproving previously approved certificates. I prefer the idea of separate policies so that, when one aspect of overall certificate management policy is being updated, that does not open a discussion of other aspects. Having a single comprehensive policy would generate a prolonged discussion and inhibit decisive action. Having multiple policies (without overlaps) helps to focus on what needs to be modified. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
