Hi Frank,
a couple of minor clarifications: my perspective on the examples / guidance question is fairly minor; I also wouldn't want to slow down on the policy.
On the question of how you would make decisions as the man in the hot seat - absolutely, I'd feel that you would be wise to the games playing of desparate CAs. I'm more thinking about what happens when you yourself aren't in the hot seat, and someone else is; that person may not have the "Washington DC" perspective.
(Funny you should have called it that, having visited DC for extended periods, I understood just what you were referring to ;)
...
13. In addition to the requirements outlined above, we also recommend that CAs use different root CAs (or different intermediate CAs under
in 2,3 "CAs" above don't you mean "certificates" ?
Not strictly speaking, since certificates per se can't issue other certificates. There's some unavoidable ambiguity here between using the term "CA" to refer to the "technical means" (private key, etc.) by which certificates are issued and using the term "CA" to refer to the organization employing those means. I'd happily accept suggestions on how to clarify this distinction.
On that specific point, I didn't know that certificates can't sign. I did some quick searching and wasn't able to turn up anything that confirmed that and/or gave an alternate wording. Anyone else know any better wording?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
