As I think I've mentioned previously, we've got a big backlog of CA inclusion requests, and I am not going to be able to clear it all by myself. It turns out that a major bottleneck in processing CA requests is the time and effort needed to gather basic information about CAs: getting copies of root certificates, figuring out what types of certificates CAs actually issue, tracking down CPS sections dealing with subscriber verification, determining what subordinate CAs exist and how they're controlled, verifying the authenticity of audit-related documents, untangling any cross-signing arrangements a CA might have entered into, getting URLs for example sites using certs issued by the CA, ascertaining the status of OCSP support, and so on.
It's only when we have all this information that we can do a reasonable job of evaluating CAs to determine if they comply with our policy and don't have technical issues that would cause problems with our software. In fact, it's probably fair to say that once we obtain complete and accurate information for a given CA we've probably done 80% of the work needed to properly evaluate it. I'm therefore looking for people who are willing and able to help specifically with the information-gathering phase of processing CA requests. This does *not* mean that I'm not interested in having more people participate in the CA evaluation phase (e.g., as have people like Eddy, Nelson, and others). It's just that, as noted above, I think more effort put into the information-gathering phase will pay off in terms of making evaluations easier. If you're interested in helping with this on a volunteer basis, great, I'd be happy to talk with you and explain what needs doing. However note that I'm also willing to talk with people interested in doing this on a part-time consulting contract. The major difference is that if you want to do it as a volunteer then you don't necessarily have to know lots about CAs right now (I'm willing to help you get started), and you can work on this whenever you have spare time and feel like doing it. On the other hand, if you want to do this as a paid consultant then I expect you to have relevant experience and knowledge in the CA/PKI space and to be able to commit to a minimum number of hours per week. Note also that this is not an either/or situation: Because we have lots of CA requests to process and they can be done independently, we could in theory have multiple people working on this. (I've already talked to two people who've expressed interest in doing it as consultants.) However I have a limited budget for any consulting work, so I'm going to be somewhat conservative in terms of hiring consultants, If you're interested in helping with this, please contact me directly via email. If you're interested in doing this on a consulting basis, please include information on relevant experience (e.g., a CV/resume), your typical rates, and the minimum and maximum hours per week or month you'd want to work. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
