Frank Hecker wrote [in part]: > > As noted in prior discussions, the Mozilla Foundation and mozilla.org > staff are considering adopting a formal policy regarding selection of > new CA certificates for inclusion in the default certificate database > distributed with Mozilla, Firefox, Thunderbird, etc. They have asked me > to take the lead on attempting to create such a policy. As with prior > policies I've been involved with (e.g., the policy for handling reports > of Mozilla security vulnerabilities) my preferred approach is to try and > develop this policy through a process of discussions in public forums > and with parties affected by the policy (e.g., Mozilla developers and > new CAs). > > Here are my initial attempts at a policy and accompanying FAQ: > > http://www.hecker.org/mozilla/certificate-policy/ > http://www.hecker.org/mozilla/certificate-faq/ >
I reviewed both the policy and FAQ. My comments on the policy are in the PDF file at <http://www.rossde.com/Mozilla_certs/Policy.pdf>. These comments are in the form of suggested revisions, highlighted in underlined blue. Those revisions primarily address how a CA's certificates are approved for inclusion in the default database. My concern is that CA certificates should indeed be trusted. Specifically: #3: I indicate that a CA that fails an audit or loses accreditation should have its certificates removed and the removal should be publicized. Mozilla users should not rely on a deficient CA. #6 (new): I added this new section to indicate that only reliable CAs should have their certificates in the default database. Rather than having the Mozilla Foundation investigate CAs for reliability, I used standards based on the California regulations. Then the only effort required of the Foundation would be to review an audit report and verify that the audit was conducted by a qualified professional. #7 (new): Despite wishes to the contrary, you cannot escape the legalisms. I suggest the Mozilla Foundation's lawyer should word the necessary clause in your license. Reliance on outside standards and outside auditors (especially when that reliance is already recognized in law in the state where the Foundation is incorporated) will offer some protection against liability, but you should also make sure the Foundation's general liability insurance addresses this issue. My comments on the FAQ are in the PDF file at <http://www.rossde.com/Mozilla_certs/FAQ.pdf>. I had comments on only two questions under "Details of the Mozilla Certificate Policy", one of which relates back to my suggestions regarding the policy. -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
