There are some other threads in this newsgroup about the criteria by which mozilla.org should choose to add root CAs to its built-in list of trusted CAs. Maybe there's a simpler solution.
I don't think it's necessarily *the* solution, but it could certainly be a component of one.
Mozilla's built-in list contains a bunch of root CA certs, AND it contains trust information about each one, indicating for each cert whether it is trusted for SSL, for SMIME, for code signing, etc.
IIRC, today, the list contains only CAs that are trusted for at least one of those services. It does not presently include any CAs that are trusted for nothing. But there is no technical reason why it couldn't.
New root CAs could be added to the built-in list without any trust flags while mozilla.org decides whether to give trust or not.
Does that idea meet any needs? Whaddaya think?
I think this makes most sense as part of a hypothetical "probationary period" for CAs. In other words, make a quick decision as to whether to get a CA's cert into Mozilla, and then go through a lengthier decision process before turning the "trust" flags on.
However I think to be fair to CAs you'd have to set some sort of time limit (either in terms of time or Mozilla releases) for making the final decision. Otherwise it would be easy just to let things slide and keep putting the CA off.
Also, arguably the "burden of proof" should not just be on the CA but also on the "evaluators", to help resolve cases where there is honest disagreement on whether particular criteria are met or are relevant.
Frank (speaking for himself only)
-- Frank Hecker [EMAIL PROTECTED]
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
