Re: WISeKey root inclusion request (re-start public discussion)

Tue, 18 Nov 2008 07:14:50 -0800 

Eddy Nigg wrote:
I believe that the policy (and/or other relevant policy guiding statements) should be clear in respect what Mozilla requires from the CAs. 



It's a nice ideal, but I wonder myself whether it can be achieved.  This 
is one of the reasons why we have ended up with the race-to-the-bottom 
in secure browsing;  necessitating (?) the EV thing, etc etc.



Here we are, 14 years after this started, and we still haven't got a 
"clear and reasonable" regime.  That should tell us something :)



Not that I disagree with your central point that it *should be* clear, 
it is just that I wonder if it can be clear.




This is important for planning and preparing for the CAs 
themselves, it's important for us in order to make the right judgment. I 
think that a case-by-case approach is at least unfair and hardly 
sustainable in the long term. 



"Yep, exactly, but..."



I think in some cases it might make sense to
require audits for all subordinates, and in some cases it might not.


Can you define those cases?




I think if the subroots were managed by the lead CA, and the CPS said 
they were under the same set of policies, then there would be little 
point in requiring separate audits.



If on the other hand they were managed by other organisations, and they 
were not under some agreement, then there is an open-ended question, so 
it might make sense to say (in a Mozo requirement) that uncontrolled 
subroots are to be separately audited.



The problem then being that between those two points there is an awful 
lot of space.




What are the requirements and where doesn't 
and where does it make sense? How to draw the line? You must be specific 
in order for us to understand the differences!




Well, I suspect Mozo doesn't know.  Demanding a solution isn't going to 
result in a solution, but it might result in a line being drawn.  Then, 
in 2 years we'll be back here challenging that line, and grumbling about 
how some smart CA crossed the line or bent it or broke it or made lotsa 
dosh or something.



In such a circumstance, case-by-case makes sense.  Mozo might benefit by 
letting the market experiment.  That old socialism stuff where we tell 
everyone what they have to do is so out of style these days (although 
you wouldn't know it if you looked at the finance markets ;) .




iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to