As I implied in my previous message about the KISA request for inclusion of its roots, government CAs can pose special problems in the context of our current Mozilla CA policy, and I wanted to take the opportunity to discuss the topic briefly, since we may want to consider future changes to our policy to address these.
Some government CAs undergo truly independent audits, e.g., by getting WebTrust for CAs audits using WebTrust-certified auditors. (I think the government of Taiwan did this, for example.) However in many countries the government CA is audited by a separate agency of government; this is the case in South Korea (where MIC is the auditor of KISA) and elsewhere. Furthermore, some of these audits (including KISA's) are based on laws and regulations specific to the country in question, as opposed to being based on globally-applicable criteria like WebTrust, ETSI 101 456, etc. This causes more work for us (because we have to investigate each country's practices individually) and also raises questions about governments auditing themselves. In its new policy for its root program http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true Microsoft has taken an interesting approach to this problem, one that I think is worth discussing: "[F]or government CAs who issue certificates to secure government to government or citizen to government transactions, Microsoft will accept a statement from a government or private party auditor attesting to the CA’s audit status, giving the name of and reference to their audit guidelines, the date of the last audit, and equivalence of their audit criteria to the Operating Standards (e.g. WebTrust For CAs, ETSI TS 102 042, ETSI 101 456, ISO 21188)." Should we think about adopting similar language in a future policy revision? I'll give my own thoughts about this in a subsequent message, but I'll pause here to let others comment. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
