The problem with both RFC 3647 and ANSI X9.79 is that they don't have any requirents for the CA. E.g. RFC 3647 only " presents a framework to assist the writers of certificate policies...Further, this document does not define a specific CP or CPS. Moreover, in presenting a framework, this document should be viewed and used as a flexible tool presenting topics that should be considered of particular relevance to CPs or CPSs, and not as a rigid formula for producing CPs or CPSs."
Thanks for your comments. After reading RFC 3647 more closely I understand your point: It in effect says "the CA should describe how they do task X" (where X might be protection of signing keys), but does not necessarily say "X should be done in a way that meets requirement Y".
I guess I'll have to get a copy of X9.79 to see if it takes the same approach.
If RFC 3647 is going to be used as a criteria Mozilla Foundation should provide minimum requirements for topics mentioned in RFC 3647, IMHO.
Well, we could draw such requirements from the WebTrust criteria, but then we might as well reference those criteria directly.
Maybe these could helpful as well: PKI Assessment Guidelines by American Bar Association
I'm familar with this document.
European Telecommunications Standards Institute, "Policy Requirements for Certification Authorities Issuing Qualified Certificates"
I haven't read this document but will check it out.
In general I would require a third party audit.
That is my proposal: Whatever the criteria are, the CA's conformance to the criteria should be judged by an independent third party.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
