I've created a new draft 0.8 of the Mozilla CA Certificate Policy:
http://www.hecker.org/mozilla/ca-certificate-policy
The main substantive changes were pretty much as previously discussed:
* Extended the requirements to cover all CAs, not just new CAs.
* Changed "independent and qualified third party" to "competent
independent party".
* Added ETSI TS 101 456 and 102 042 as acceptable criteria.
* Changed the definition of "competent party" to delete "reputation
for" in reference to "honesty and objectivity".
* Changed the definition of "independent party" to include a
requirement for disclosure of financial compensation in certain cases
(e.g., a volunteer evaluator reimbursed by the CA for expenses).
I also made a few other minor non-substantive changes for clarity and
formatting.
As always I welcome comments, criticisms, and suggestions for changes;
thanks to those who've commented thus far, whether in this forum or via
email. If you do have suggestions for changes please submit the actual
language you'd like to see in the policy.
I hope that this version or the next can be designated as the final
draft. Once I have a final draft, my plan is to wait a week or so,
finish writing the accompanying FAQ, and then submit the draft policy to
the Mozilla Foundation for consideration as the final 1.0 policy.
Frank
P.S. I've attached a file containing detailed differences from the draft
0.8.
--
Frank Hecker
hec...@hecker.org
[
ca-certificate-policy-diff.txt 7K ]
Index: mozilla/ca-certificate-policy.html
===================================================================
--- mozilla/ca-certificate-policy.html (revision 357)
+++ mozilla/ca-certificate-policy.html (working copy)
@@ -58,8 +58,11 @@
in our software products, at any time and for any reason.</li>
<li>We will consider adding certificates for additional CAs to the
- default certificate set upon request. We require that all such CAs:
+ default certificate set upon request.</li>
+ <li>We require that all CAs whose certificates are distributed with
+ our software products:
+
<ul>
<li>provide some service relevant to typical users of our
@@ -69,16 +72,14 @@
(e.g., in a Certification Practice Statement);</li>
<li>operate to published criteria that we deem acceptable;
- and</li>
+ <em>and</em></li>
<li>provide attestation of their conformance to the stated
- criteria by an independent and qualified third party or
- parties.</li>
+ criteria by a competent independent party or parties with access
+ to details of the CA's internal operations.</li>
- </ul>
+ </ul></li>
- </li>
-
<li>We consider the criteria published in any of the following
documents to be acceptable:
@@ -87,26 +88,38 @@
<li>Annex B, "(Normative) Certification Authority Control
Objectives", of ANSI X9.79-1:2001, <a
href="http://www.x9.org/catalog2.cfm?item_no=%24%23%20%2F%217%20%21O%0A&...">Part
- 1: PKI Practices and Policy Framework</a></li>
+ 1: PKI Practices and Policy Framework</a>;</li>
+ <li>Clause 7, "Requirements on CA practice", in ETSI TS 101 456
+ V1.2.1 (2002-04), <a
+ href="http://pda.etsi.org/pda/home.asp?wki_id=vRB.0b.A2uoprrwvH-WyI">Policy
+ requirements for certification authorities issuing qualified
+ certificates</a> (as applicable to either the "QCP public" or
+ "QCP public + SSCD" certificate policies);</li>
+
+ <li>Clause 7, "Requirements on CA practice", in ETSI TS 102 042
+ V1.1.1 (2002-04), <a
+ href="http://pda.etsi.org/pda/home.asp?wki_id=tmTZH@WhLn_.'0,.QCFnV">Policy
+ requirements for certification authorities issuing public key
+ certificates</a> (as applicable to any of the "NCP", "NCP+", or
+ "LCP" certificate policies); <em>or</em></li>
+
<li>"WebTrust Principles and Criteria for Certification
Authorities" in <a
href="http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc">AICPA/CICA
WebTrust Program for Certification Authorities, Version
- 1.0</a></li>
+ 1.0</a>.</li></ul>
- </ul>
-
We reserve the right to accept other criteria in the future.</li>
- <li>By "qualified third party" we mean a person or other entity who
- is authorized to perform audits according to the stated criteria
- (e.g., by the organization responsible for the criteria) <em>or</em>
- for whom there is sufficient public information available to
- determine that the third party is competent to judge the CA's
- conformance to the stated criteria. In the latter case the "public
- information" referred to should include information regarding the
- third party's
+ <li>By "competent party" we mean a person or other entity who is
+ authorized to perform audits according to the stated criteria (e.g.,
+ by the organization responsible for the criteria or by a relevant
+ government agency) <em>or</em> for whom there is sufficient public
+ information available to determine that the party is competent to
+ judge the CA's conformance to the stated criteria. In the latter
+ case the "public information" referred to should include information
+ regarding the party's
<ul>
@@ -114,29 +127,38 @@
cryptography and related standards;</li>
<li>experience in performing security-related audits,
- evaluations, or risk analyses; and</li>
+ evaluations, or risk analyses; <em>and</em></li>
- <li>reputation for honesty and objectivity.</li>
+ <li>honesty and objectivity.</li>
- </ul>
+ </ul></li>
-</li>
+ <li>By "independent party" we mean a person or other entity who is
+ not affiliated with the CA as an employee or director, and for whom
+ at least one of the following statements is true:
- <li>By "independent third party" we mean a person or other entity
- who has no financial or contractual relationship with the CA
- <em>or</em> who is bound by law, regulation, and/or a professional
- code of ethics to render an honest and objective judgement regarding
- the CA.</li>
+ <ul>
+ <li>the party is not financially compensated by the CA;</li>
+
+ <li>the nature and amount of the party's financial compensation
+ by the CA is fully and publicly disclosed; <em>or</em></li>
+
+ <li>the party is bound by law, government regulation, and/or a
+ professional code of ethics to render an honest and objective
+ judgement regarding the CA.</li>
+
+ </ul></li>
+
<li>We reserve the right to designate our own representative(s) to
- act as the independent and qualified third party or parties
- described above, should that prove to be necessary and
- appropriate.</li>
+ act as the competent independent party or parties described above,
+ should that prove to be necessary and appropriate.</li>
<li>The burden is on the CA to prove that it has met the above
requirements. However the CA may request a preliminary determination
- from us regarding the acceptability of the criteria and/or the third
- party or parties by which it proposes to meet the requirements.</li>
+ from us regarding the acceptability of the criteria and/or the
+ competent independent party or parties by which it proposes to meet
+ the requirements.</li>
<li>To request that its certificate(s) be added to the default set a
CA should submit a formal request as follows:
@@ -168,27 +190,22 @@
<ul>
<li>SSL-enabled servers,</li>
- <li>digitally-signed and/or encrypted email, or</li>
+ <li>digitally-signed and/or encrypted email,
+ <em>or</em></li>
<li>digitally-signed executable code objects;</li>
- </ul>
+ </ul></li>
- </li>
-
<li>a Certification Practice Statement (or links to a CPS) or
equivalent disclosure document(s) for the CA or CAs in question;
- and</li>
+ <em>and</em></li>
<li>information as to how the CA has fulfilled the requirements
stated above regarding its conformance to a set of acceptable
- criteria.</li>
+ criteria.</li></ul>
- </ul>
-
We will reject requests where the CA does not provide such
information within a reasonable time after submitting its
- request.</li>
-
-</ol>
+ request.</li></ol>
</div>
<p>This policy applies only to software products distributed by the
@@ -210,6 +227,13 @@
to related questions.</p>
<div class="important">
+<p>Version 0.9, February 11, 2004. Extended requirements to cover all
+CAs included with Mozilla products. Changed "independent and qualified
+third party" to "competent independent party" and clarified that they
+need to have information on CAs' operations. Added ETSI TS 101 456 and
+102 042 as acceptable criteria. Changed language on financial
+compensation to evaluators. Various other minor changes.</p>
+
<p>Version 0.8, February 8, 2004. Clarified references to
"users". Added requirement for a CPS or equivalent document. Removed
reference to X509v3. Clarified that the MF could do its own evaluation
