I think this makes most sense as part of a hypothetical "probationary period" for CAs. In other words, make a quick decision as to whether to get a CA's cert into Mozilla, and then go through a lengthier decision process before turning the "trust" flags on.
I like that idea.
However I think to be fair to CAs you'd have to set some sort of time limit (either in terms of time or Mozilla releases) for making the final decision. Otherwise it would be easy just to let things slide and keep putting the CA off.
What would happen if/when that limit expired? Would you propose software take any action? Surely not that the software would add trust automatically after some time elapsed.
Also, arguably the "burden of proof" should not just be on the CA but also on the "evaluators", to help resolve cases where there is honest disagreement on whether particular criteria are met or are relevant.
Um. Should mozilla fly evaluators to (say) Australia to find proof when an applicant doesn't provide it? (sounds like fun!)
Frank (speaking for himself only)
-- Nelson B (no one would let me speak for them :)
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
