I think the Policy is good, except for one comment on the Risk, which I've responded more towards the FAQ entry, here:
http://www.hecker.org/mozilla/certificate-faq/policy-details/
> In particular, we will evaluate whether or not a CA > operates in a manner likely to cause undue risk for > Mozilla users.
Risk is a very tricky thing to assess. Firstly, risk cannot be assessed without proper attention to the value at risk, and the threats against that value.
Secondly, by assessing the risk, however so done, and then presenting the results for others to rely upon, liability is created. This liability is perhaps limited by the price paid by the user ($0) but is none-the-less present and available for some smart lawyer to exploit.
One way to overcome this would be to deny any risk-based assessment (a "common carrier" approach) but this would then leave Mozilla users at the mercy of costless attacks that the PKI permits. Another way would be to ask for the CAs to provide an indemnity; this however is unlikely, as their own businesses are constructed to reduce their risks, not increase them.
A better way may be to reflect those risk assessments back to those that carry the losses - the users.
This could be done by opening up a forum for every new CA proposal. (Actually, it could be done for all old ones as well). Just like the current CACert bug that started this thread, each CA could have an ongoing forum for user comment.
In this way, users can comment on the information published, and they can present their findings. This would mean real scrutiny would now be possible, as it is likely that Mozilla users have more resources than the Mozilla Foundation.
Most users would never look at the practices of a CPA, as a) they have not the time nor patience, or b) there is nowhere to place their comments and assessments even if they had the time. However, if there was a defined forum for comment, it could be hoped that sufficient close Mozilla users would do sufficient analysis on the major CAs such that the Mozilla Foundation could simply refer to the sentiment on the forums.
Thus, they would outsource the risk assessment. As policy, this would also remove the liability.
Note 1: the original CACert bug, in a near perfect forum: <http://bugzilla.mozilla.org/show_bug.cgi?id=215243> Note 2: this form of open governance is practiced in the gold issuance community, where lack of regulators means that the users have to protect themselves by demanding certain measures of issuers.
One other minor comment:
> We may elect to publish submitted information for use > by Mozilla users and others; please note any information > which you consider to be proprietary and not for public > release.
This opens up a bait and switch. Secret information may be provided to Mozilla that will be supressed and unavailable to the public. In the event of a dispute, this information may be relevent to the public party, but will be unknown to them. I'd recommend that all information provided be deemed public, non-proprietary, and publishable by Mozilla.
iang
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
