On 12/27/2008 02:16 PM, Ian G:
Indeed, this is the "Verisign buyout model"; outsource something new, get huge, get bought out by Verisign.
What has that to do exactly with what Paul agreed to?
It doesn't matter in business principle whether it outsources a function to a reseller, to its employees or to the government.
Of course it does. Besides that an employee isn't outsourcing, he is part of the company. Or one might ask, why are certain functions never outsourced to a third party? Or perhaps lets start to outsource the CA root key responsibilities as well then...
Is there a criteria anywhere that says or implies "The CA has not outsourced critical function X to an external agent?" Can anyone recall such a statment?
Yes, the some extend Mozilla does that already today with the "Problematic Practices". For example auditing of intermediate CAs shouldn't be outsourced from the auditor to the CA (it's just the other way around).
And if there is no such criteria we might still create and adopt it. This is no precedence, there are other criterion already.
that a popular incentive is to generate opportunities for business revenues.
So? Mozilla really shouldn't care about the business revenues of some CAs. How is that relevant?
As advice this would remain fine and standard. However trying to create some sort of restriction on how these things are done is likely to close of opportunities to do it better another way, in the future.
I think what Paul suggested is exactly what any responsible CA should do. I believe most do exactly that today. Specially in light that it's a core requirement of the Mozilla CA policy.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
