What Frank is calling the policy is, I believe, what you are calling the philosophy. Simply put, it is that the Mozilla Foundation should decide whether or not to include a CA based on a balancing of the risks and benefits of doing so.
After reviewing the discussion in this thread (and other threads), I must conclude that the whole approach to developing a policy is flawed. A policy should represent specifics based on a more general philosophy, but I don't think the philosophy itself is clear in this case.
What we still need to nail down are some more specifics as to how to evaluate the benefits and risks. I believe Frank's "FAQ" does a reasonable job of describing how to evaluate the benefits. The risks side needs much more definition.
I'm not sure I'd call it an "obligation", but given the minimalist threat model I proposed earlier, this is something that is necessary in order to evaluate the risks.If this chain of questions and answers is valid, then the Mozilla Foundation has an obligation to those who use its products to authenticate not only the validity of each CA certificate in the default database but also the integrity of the CA's process of issuing and signing Web server certificates with that CA certificate.
No, this does not mean only WebTrust audits. Earlier in thisWebTrust and SAS 70 audits outsource the bulk of the risk assessment. They are only useful if the threat model used for the audit is compatible with one's own threat model. It is quite possible that their threat model protects against things that Mozilla users don't care about, so requiring CAs to pass their criteria might unreasonably exclude CAs. It also might be possible and worthwhile to perform such a risk assessment without outsourcing.
thread, I cited a California state regulation that specifies
either WebTrust or SAS 70 audits. (See Sections 22003(a)6(C) and
22003(a)6(D) under
<http://www.ss.ca.gov/digsig/regulations.htm#22003>.) Further,
that regulation provides criteria for accepting other
accreditation criteria. However, until other criteria can be
clearly identified and documented, the WebTrust and SAS 70 audits
are the only trustworthy and reliable bases for accepting CA
certificates.
But we do clearly need a threat model in order to assess risks. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
