I've done a new draft 11 of the proposed CA certificate policy; you can find it at the usual place:
http://www.hecker.org/mozilla/ca-certificate-policy
My apologies, I forgot to add a diff listing of the detailed changes from draft 10 to draft 11; please see the attached file.
Frank
-- Frank Hecker [EMAIL PROTECTED]
Index: mozilla/ca-certificate-policy.html
===================================================================
--- mozilla/ca-certificate-policy.html (revision 360)
+++ mozilla/ca-certificate-policy.html (working copy)
@@ -40,7 +40,7 @@
<div class="para">
<p>This is the official Mozilla Foundation policy for CA certificates
-that it distributes with its software products:</p>
+that we distributes with our software products:</p>
<ol>
@@ -54,8 +54,15 @@
<li>We will not charge any fees to have a CA's certificate(s)
distributed with our software products.</li>
- <li>We reserve the right to discontinue including any CA certificate
- in our software products, at any time and for any reason.</li>
+ <li>We reserve the right to not include a particular CA certificate
+ in our software products, to discontinue including a particular CA
+ certificate in our products, <em>or</em> to modify the "trust bits"
+ for a particular CA certificate included in our products, at any
+ time and for any reason. This may include (but is not limited to)
+ cases where we believe that including a CA certificate (or setting
+ its "trust bits" in a particular way) would cause undue risks to
+ users' security <em>or</em> cause technical problems with the
+ operation of our software.</li>
<li>We will consider adding certificates for additional CAs to the
default certificate set upon request.</li>
@@ -68,23 +75,56 @@
<li>provide some service relevant to typical users of our
software products;</li>
- <li>publicly disclose information about their business practices
- (e.g., in a Certification Practice Statement);</li>
+ <li>publicly disclose information about their policies and
+ business practices (e.g., in a Certificate Policy and
+ Certification Practice Statement);</li>
- <li>operate to published criteria that we deem acceptable;
- <em>and</em></li>
+ <li>prior to issuing certificates, verify certificate signing
+ requests in a manner that we deem acceptable for the stated
+ purpose(s) of the certificates;</li>
+ <li>otherwise operate in accordance with published criteria that
+ we deem acceptable; <em>and</em></li>
+
<li>provide attestation of their conformance to the stated
- criteria by a competent independent party or parties with access
- to details of the CA's internal operations.</li>
+ verification requirements and other operational criteria by a
+ competent independent party or parties with access to details of
+ the CA's internal operations.</li>
</ul></li>
- <li>We consider the criteria published in any of the following
- documents to be acceptable:
+ <li>We consider verification of certificate signing requests to be
+ acceptable if it meets or exceeds the following requirements:</li>
<ul>
+ <li>for a certificate to be used for digitally signing and/or
+ encrypting email messages, the CA takes reasonable measures to
+ verify that the entity submitting the request controls the
+ email account associated with the email address referenced in
+ the certificate <em>or</em> has been authorized by the email
+ account holder to act on the account holder's behalf;</li>
+ <li>for a certificate to be used for SSL-enabled servers, the CA
+ takes reasonable measures to verify that the entity submitting
+ the certificate signing request has registered the domain(s)
+ referenced in the certificate <em>or</em> has been authorized
+ by the domain registrant to act on the registrant's behalf;</li>
+
+ <li>for certificates to be used for digitally signing code
+ objects, the CA takes reasonable measures to verify that the
+ entity submitting the certificate signing request is the same
+ entity referenced in the certificate <em>or</em> has been
+ authorized by the entity referenced in the certificate to act on
+ that entity's behalf;</li>
+ </ul>
+
+ We reserve the right to accept other requirements in the future.</li>
+
+ <li>We consider the criteria for CA operations published in any of
+ the following documents to be acceptable:
+
+ <ul>
+
<li>Annex B, "(Normative) Certification Authority Control
Objectives", of ANSI X9.79-1:2001, <a
href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%217%20%21O%0A&pub_item=%2334%2A%3B%0A";>Part
@@ -134,8 +174,8 @@
</ul></li>
<li>By "independent party" we mean a person or other entity who is
- not affiliated with the CA as an employee or director, and for whom
- at least one of the following statements is true:
+ not affiliated with the CA as an employee or director <em>and</em>
+ for whom at least one of the following statements is true:
<ul>
@@ -158,7 +198,7 @@
requirements. However the CA may request a preliminary determination
from us regarding the acceptability of the criteria and/or the
competent independent party or parties by which it proposes to meet
- the requirements.</li>
+ the requirements of this policy.</li>
<li>To request that its certificate(s) be added to the default set a
CA should submit a formal request as follows:
@@ -195,18 +235,25 @@
<li>digitally-signed executable code objects;</li>
</ul></li>
- <li>a Certification Practice Statement (or links to a CPS) or
- equivalent disclosure document(s) for the CA or CAs in question;
- <em>and</em></li>
+ <li>a Certificate Policy and Certification Practice Statement
+ (or links to a CP and CPS) <em>or</em> equivalent disclosure
+ document(s) for the CA or CAs in question; <em>and</em></li>
<li>information as to how the CA has fulfilled the requirements
- stated above regarding its conformance to a set of acceptable
+ stated above regarding its verification of certificate signing
+ requests and its conformance to a set of acceptable operational
criteria.</li></ul>
- We will reject requests where the CA does not provide such
- information within a reasonable time after submitting its
- request.</li>
+ We will reject requests where the CA does not provide such
+ information within a reasonable period of time after submitting its
+ request.</li>
+ <li>We will appoint a CA certificate "module owner" to evaluate CA
+ requests on our behalf and make decisions regarding all matters
+ relating to CA certificates included in our products. CAs or
+ others objecting to a particular decision may appeal to
+ mozilla.org staff, who will make a final decision.</li>
+
<li>We reserve the right to change this policy in the future. We
will do so only after consulting with the public Mozilla community,
in order to ensure that all views are taken into account.</li></ol>
@@ -232,6 +279,11 @@
to related questions.</p>
<div class="important">
+<p>Version 0.11, February 27, 2005. Added requirements relating to
+subscriber vetting. Added blanket statement reserrving right not to
+include certificates. Added note about appointment of module
+owner.</p>
+
<p>Version 0.10, Feburary 16, 2005. Dropped "fully" from financial
disclosure requirement. Added section on revising the
policy. Corrected date references on version history.</p>
