Conflicts between Moz Policy and CAB Forum Baseline Requirements
Stephen Schultze
several current and potential future conflicts between the Mozilla
Certificate Policy and the draft CAB Forum Baseline Requirements.
Kathleen has already told the CAs that following the current discussion
of CAB Forum's "final draft" of the document (30b):
"we will have a discussion to add a requirement to the Mozilla CA that
CAs include the CA/Browser Forum Baseline Requirements in their
policies, practices, and audits."
The meaning of this is unclear, including whether or not the outcome of
this discussion is predetermined, whether it is a yes/no decision, or if
it can generate requirements for more revisions before potential
acceptance. This ambiguity is disconcerting.
In any case, there seem to be clear logical inconsistencies with the
notion that Mozilla could simply add the requirements to its existing
policy. What is to be done when the two documents conflict, now or in
the future? For example:
- Auditor qualifications
- "Identity validation" acceptability (OV etc)
- requirements for SubCA disclosure
It seems that one of two things happens. Either CAB Forum BR trumps
Mozilla policy, or the other way around. One document or the other
might then be pressured to be revised to conform with the other. If BR
trumps, then we have a process that is increasingly more closed -- I
didn't really find the earlier discussion of whether CAB Forum is a
cartel to be useful... perhaps CABal would be more appropriate? ;) My
concern is that ideas from users about how to update policies will be
less likely to prevail in a closed forum.
How does Mozilla plan to deal with current and future conflicts between
the policies?
Does Mozilla consider the possibility of ceding authority to the CAB
Forum to be an issue?
Steve
Eddy Nigg
> Reflecting on the BR discussion so far, it seems clear that there are
> several current and potential future conflicts between the Mozilla
> Certificate Policy and the draft CAB Forum Baseline Requirements.
> Kathleen has already told the CAs that following the current
> discussion of CAB Forum's "final draft" of the document (30b):
>
> "we will have a discussion to add a requirement to the Mozilla CA that
> CAs include the CA/Browser Forum Baseline Requirements in their
> policies, practices, and audits."
>
> The meaning of this is unclear, including whether or not the outcome
> of this discussion is predetermined, whether it is a yes/no decision,
> or if it can generate requirements for more revisions before potential
> acceptance. This ambiguity is disconcerting.
>
I don't think this is the case - consider the basic requirements to be a
set of minimal requirements. Those of course may change and I expect
additional stuff covered very soon (RAs anyone?).
However Mozilla will and has its own additional requirement which will
not be void because of the guidelines published and hopefully adopted by
major browser vendors.
But for Mozilla it will be easier in various ways including having
conformance over the entire industry and across various software
vendors, in addition to offload some of the inclusion process.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Kathleen Wilson
All of this still needs to be discussed and appropriate wording figured
out in regards to updating the Mozilla CA Certificate Policy. All I can
offer at this point in time is my current opinion...
1) Predetermined outcome: It is my hope that we will be able to figure
out a way to add useful/meaningful reference to the CAB Forum's Baseline
document to the Mozilla CA Certificate Policy. I don't know what form
that will take. I don't know if we will have to explicitly call out
exceptions. After Baseline V1.0 is published, I will kick off the
discussion to figure this out.
2) Conflicts: Mozilla Policy trumps -- I think this should be included
in the Mozilla CA Cert Policy when we update it in regards to the
Baseline document.
3) Ceding Authority to CAB Forum: The Mozilla CA Cert Policy already
refers to other criteria (ETSI 1010 456, ETSI 102 042, WebTrust CA,
WebTrust EV), but I don't think Mozilla has ceded authority to any of
the authors of those criteria. My thinking is that the CAB Forum
Baseline document will be treated as another set of criteria that the CA
should be audited against. I'm sure I haven't said this in the correct
legal phrasing, but hopefully the point gets across that I view the
Baseline document as a tool, I don't view this as ceding authority to
the CAB Forum.
Kathleen
Steve Schultze
This sounds reasonable to me, and different from the suggestion that we
will "add a requirement to the Mozilla CA that CAs include the
Gervase Markham
> In any case, there seem to be clear logical inconsistencies with the
> notion that Mozilla could simply add the requirements to its existing
> policy. What is to be done when the two documents conflict, now or in
> the future? For example:
>
> - Auditor qualifications
I am requesting that this is removed from the baseline requirements.
> - "Identity validation" acceptability (OV etc)
Can you expand on the conflict here?
> - requirements for SubCA disclosure
Are you just saying here that Mozilla may have requirements over and
above the BR, or are there actual conflicts?
> It seems that one of two things happens. Either CAB Forum BR trumps
> Mozilla policy, or the other way around. One document or the other might
> then be pressured to be revised to conform with the other.
I hope that we will be able to adopt the BR with no reservations, but if
that's not possible, I would have no qualms about adopting it "except
section X.X".
Gerv