On 11/19/2008 03:56 AM, Ian G:
Yes, and at a technical level I don't see an issue. At a legal/liabilities level I see an open question: who is taking on the liability, how is it shared, etc.
...and I might add, how are the basic requirements of the Mozilla CA Policy governed...
I also think it helps a lot to define the target of the security model. Who are we trying to protect? I say the end-user (and have said so in recent documents) rather than say Mozo or the CA or whoever else we might encounter in the path.
100%! Certification is about the relying party, nothing else.
I'm not actually sure a "formal legal agreement" is needed.
I suggested and supported the call for a formal agreement between the CAs and Mozilla a while ago. It would strengthen the relationship and commitment to the Mozilla CA Policy. Without it, governing CAs is rather difficult.
From which I would say that a good model is to simply state the policy as a "posted notice" with a clause that states "by submitting your root to the bugzilla for consideration, you agree to the terms and conditions of this policy." Adding that sort of clause to the policy should be a lot easier than trying to craft some sort of "mutual agreement."
This could be another way doing the same thing. Obviously signing a real paper is a stronger act than simply agreeing to a policy statement.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
