Frank Hecker wrote:<snip>
However I think to be fair to CAs you'd have to set some sort of time limit (either in terms of time or Mozilla releases) for making the final decision. Otherwise it would be easy just to let things slide and keep putting the CA off.
What would happen if/when that limit expired? Would you propose software take any action? Surely not that the software would add trust automatically after some time elapsed.
No. I simply mean that the Mozilla Foundation should set a deadline for a final decision and hold someone accountable for it.
Also, arguably the "burden of proof" should not just be on the CA but also on the "evaluators", to help resolve cases where there is honest disagreement on whether particular criteria are met or are relevant.
Um. Should mozilla fly evaluators to (say) Australia to find proof when an applicant doesn't provide it? (sounds like fun!)
No, I'm more thinking of a case where an evaluator hasn't done the necessary legwork, and/or has disagreements with the CA where a reasonable person might go either way. My concern is simply that evaluators not unreasonably postpone decisions.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
