Frank,
thanks for all your work on this! As suggested by Jean-Marc Desperrier, I suspect this process is going to be watched carefully by other users of PKI root lists.
I'd like to suggest that once the current phases are complete (webtrust, equiv-webtrust, and non- webtrust proposals), that the pre-existing list of already accepted CAs on the Mozilla default root list be reviewed under the same regime.
I'd also like to suggest that the first CA to be reviewed be VeriSign. I believe there are specific difficulties with VeriSign operating as a CA, as outlined in [1]. In brief, this company also operates a "compliance service" to ISPs and the like for the purposes of facilitating intercepts or eavesdrops on customers.
This in my view represents a fundamental and unacceptable conflict of interest for a CA. In crypto terms, this makes VeriSign the most likely threat to the need for encrypted and protected communications, as well as the provider of same.
All IMHO, of course. As VeriSign is also the largest provider of certs, with about half the market, I realise this is no light issue. Hence I'm signalling the issue well in advance - I guess there are many weeks left before you get to the end of the current phases.
iang
[1] VeriSign's conflict of interest creates new threat http://www.financialcryptography.com/mt/archives/000206.html _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
