WebTrust, RFC 3647, and ANSI X9.79

[Frank Hecker]

I'm going to try and do another revision of the draft Mozilla CA 
certificate policy in the next few days, and one of the things I was 
thinking about was how to address Ian Grigg's concern about calling out 
WebTrust by name as the criteria to be used. If you recall, Ian 
suggested modifying the policy language to refer to "published criteria 
satisfactory to [the Mozilla Foundation]", along with stating that 
"[the] starting point for the criteria is _WebTrust for CA_ criteria".

But I'm wondering if a better approach would be to refer to other 
published criteria that are "WebTrust-like", without necessarily 
referring to the WebTrust criteria themselves. The most obvious 
candidates to come to mind are RFC 3647:

  http://www.ietf.org/rfc/rfc3647.txt
and ANSI X9.79:
http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%217%20%21O%0A&pub_item=%2334%2A%3B%0A
As I recall, both of these were used as input when the WebTrust criteria 
were created. I don't have time at the moment to do a detailed 
comparison of the RFC 3647 and X9.79 criteria and how they differ from 
the published WebTrust criteria:

  http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc
Does anyone know of any web-accessible documents that contain such a 
comparison?

Any other comments on using RFC 3647 or X9.79 as the reference criteria 
for the policy? (Note that if we do this I personally would prefer to 
use RFC 3647 since you don't have to pay USD 50 to get a copy.)

Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto