In Mozilla bug #215243, a lengthy debate has begun (via bug
comments) whether CAcert's root certificate belongs in the Mozilla
certificate database. At the present, the only new root
certificates being added to the database have successful WebTrust
audits, which is the primary cause of the debate since CAcert is a
low-budget operation with free user certificates and cannot afford
the audit.
David, IINM, The policy now allows CAs to be admitted if they have the *equivalent" of a webtrust audit. The CAs admitted to the list in 2004 may all have had webtrust audits, but a statement about those "being admitted" (present progressive tense) needs to include those with equivalent credentials also.
> Some very lengthy rants have excessively lengthened the
bug report, rants that belong here and not in the report.
I agree completely about that!
A Mozilla Foundation policy has been drafted to address this
issue. The policy provides for alternative approvals for root
certificates, thus not tying Mozilla strictly to WebTrust. Approval of that policy is pending.
That policy is mozilla's defacto policy now. Frank's draft policy, in its various revisions, is the policy that has been followed for the last year, and is the policy now being followed.
I don't believe there's any formal Mozilla Foundation "approval" process now underway, on whose outcome this policy is waiting. Rather, I think Frank has not yet asked the Mozilla Foundation to stamp it with final approval.
At the present time, there are 179 CA certificates in mozilla software, representing approximately 45 different CAs. No monopoly there. The number grew from 129 to 179 (almost 40%) in 2004 alone. So, clearly, under the draft policy, no monopoly is present, and many CAs who meet the criteria have been admitted. Quite a few of those CAs now offer free personal certificates. From those "observations", I conclude that mozilla's draft policy is serving the community of mozilla users very well.
In the meantime, a review of CAcert's policies and operations has
begun in accord with the draft policy.
Who is undertaking this review?
> It may be possible that the
review may conclude about the same time the policy is approved and
thus provide a test case of the policy.
Indeed, it may. Or it may not. But I think the process should be bounded (finite duration, say 6 months or less) and when it is done, the bug should be resolved, either "fixed" or "invalid".
If the conclusion is that this (or any) CA does not meet the criteria, then the bug should not be left open indefinitely. Leaving the bug open indefinitely leaves readers with the impression that Mozilla is "dragging its heels" rather than with the understanding that "this CA does not meet the policy requirements". If the CA does not meet the requirements, then the advocates for the CA should understand that, and be working on fixing that, rather than bemoaning the apparent lack of progress on the bug. It doesn't help anyone for Mozilla to be afraid to say "no".
PLEASE: Make any further comments on this issue here and not in
the bug report.
Amen to that!
-- Nelson B _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
