4.1 is merely a corollary of the "benefits" requirement. 4.2 is only necessary to evaluate the "risks" requirement. 4.3 should add a requirement that the data be compatibly licensed.
I do believe we need more details somewhere on key risk factors.
In the "details of policy" FAQ:
The "How will the Mozilla Foundation decide" entry significantly understates the risks side of things. I believe the word "undue" should be removed, as it suggests Mozilla will accept a fairly high level of risk per CA. Remember, every CA we add increases the risk, as an attacker only needs to break one of them to succeed. The entry should probably list risks separatly from benefits.
The discontinuation entry should mention a change in the risk/reward evaluation as being the most likely reason.
The "free certs" section goes into a digression about email certs. This information, if it belongs anywhere, belongs in the "how will decide" entry. The entire second paragraph is redundant with that entry.
In the "Exactly what information" section, I don't entirely agree with the continuity of CA operations requirement. While continuity requirements for any CRL and/or OCSP service might make sense, there is no risk to mozilla users if a listed CA fails to continue issuing certs.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
