I have not yet read the policy or FAQ, which I will do soon. However, I thought you might be interested in how the state of California approves certificate authorities under its Government Code Section 16.5. This code section deals with digital signatures on documents that require signatures but are filed electronically with the state or a local government. PKI keys used for this must be authenticated no less than keys used for encryption or for establishing secure communication between a Web browser and a Web server.
See <http://www.ss.ca.gov/digsig/regulations.htm>. This is the California Secretary of State's regulation implementing Government Code Section 16.5. Of particular interest for Mozilla's policy, see sections 22003(a)6(C) and 22003(a)6(D) of the regulation (a bit more than half-way down the page). (Section 22003 begins at <http://www.ss.ca.gov/digsig/regulations.htm#22003>.) 6(C) deals with how a CA gains approval by the state; 6(D) deals with relying on national and international accreditation bodies for granting approval and with revoking approval. The latter contains a link to a notice that WebTrust audits are accepted for determining which CAs are approved. 6(C) and 6(D) together might take two pages to print, thereby meeting the goal of keeping the Mozilla policies short. The notice about WebTrust audits is itself only a single page. -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
