* Changed references to "users" to clarify that we're referring to users of the MF-distributed products.
* Added a requirement for CA disclosure of business practices in the form of a CPS. Besides being a good idea in general, it's typically the CPS that is referenced in auditor/evaluator reports, so it's needed to provide a more complete picture of the CA's conformance to whatever criteria are used to evaluate its operations.
* Removed the explicit reference to X509v3. I consider it implicit in the reference to "related standards" and I'm not sure how useful it is to single out X509v3 in this context.
* Explicitly allowed for the possibility of the Mozilla Foundation doing its own CA evaluations. Note that I worded this clause the way I did because in practice such evaluations -- if ever done -- would almost certainly not be done by actual MF employees but rather by someone else designated by MF staff to act on their behalf.
* Added note that we will reject the requests if we don't get the needed information in a timely manner. In part this is to motivate me to actually resolve requests with a "yes" or "no" answer, as opposed to letting them sit in Bugzilla without action. (I'll definitely plead guilty to this, and I apologize to the CAs for which it's happened. I'm going to try this month to go through all the CA-related bug reports and resolve them one way or another.)
As always I welcome comments, criticisms, and suggestions for changes; thanks to those who've commented thus far, whether in this forum or via email. If you do have suggestions for changes please submit the actual language you'd like to see in the policy.
I know everyone has been been distracted by the punycode controversy (my condensed opinion: yes, registrars *should* do something about it, yes, CAs *could* do something about it, but regardless of what they do we *have to* do something about it), but I still want to keep moving toward a final draft of the CA policy.
Currently I am considering making the following changes from draft 0.8 to draft 0.9:
* Clause 5: Someone suggested via email that the requirements of paragraph 5 (provision of some relevant service, public disclosure, operating to acceptable criteria, and third party attestation) be expanded to include all CAs whose certs are distributed with Mozilla-related software, not just new CAs applying to have their certs included. This would give us the leeway to go back and re-evaluate existing CAs as we had the time to do so.
IMO making this change could be as simple as changing "We require that all such CAs:" to "We require that all CAs:", i.e., delete the word "such". However it might be more clear to split clause 5 into two clauses and add some additional language:
5. We will consider adding certificates for additional CAs to the default certificate set upon request.
6. We require that all CAs whose certificates are distributed with our software products:
* provide some service ...
* Clause 7: For a "qualified third party" not otherwise authorized to do CA evaluations we require that there be "public information regarding the third party's ... reputation for honesty and objectivity." I think that this is redundant, and should just read "public information regarding the third party's ... honesty and objectivity" (in other words, delete "reputation for").
* Clause 8: For evaluators who are not, e.g., accounting professionals or government-authorized test labs we require that they "[have] no financial or contractual relationship with the CA". But what if a volunteer wanted to assist a CA with an evaluation, and the CA wanted to reimburse the volunteer for any expenses incurred as part of the evaluation? The clause as written would seem to prohibit such arrangements, since it would arguably constitute a "financial relationship".
I didn't intend to rule out such arrangements (which IMO are acceptable), and if others concur I'd like to change the language to clarify this. I'm not sure of the best language to use, but I was thinking about something like the following:
8. By "independent third party" we mean a person or other entity who is not financially compensated by the CA (except possibly for reimbursement of necessary and reasonable expenses incurred during an evaluation) and is not otherwise affiliated with the CA, *or* who is bound by law, regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA.
Note that I added the phrase "not otherwise affiliated with the CA" to address the possible case where a CA employee works as a volunteer.
This added phrase in turn introduces a possible ambiguity: As written the proposed revised clause would seem to permit the "independent third party" to be affiliated with the CA as long as they are "bound by law, regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA". This reminds me of Ian's comments about trusting internal evaluations of CAs in cases where there's some law or regulation (e.g., Sarbanes-Oxley) that might cover such evaluations.
I don't know whether to tolerate this ambiguity or eliminate it (i.e., by extending the "not ... affiliated with the CA" requirement to cover all cases). I welcome your thoughts on this issue and on the other changes proposed above.
> Currently I am considering making the following changes from draft 0.8 > to draft 0.9:
I agree with all the above suggestions (snipped).
> * Clause 8: For evaluators who are not, e.g., accounting professionals > or government-authorized test labs we require that they "[have] no > financial or contractual relationship with the CA". But what if a > volunteer wanted to assist a CA with an evaluation, and the CA wanted > to reimburse the volunteer for any expenses incurred as part of the > evaluation? The clause as written would seem to prohibit such > arrangements, since it would arguably constitute a "financial > relationship".
Ok, this is a tricky one.
> I didn't intend to rule out such arrangements (which IMO are > acceptable), ... > This added phrase in turn introduces a possible ambiguity: As written > the proposed revised clause would seem to permit the "independent > third party" to be affiliated with the CA as long as they are "bound > by law, regulation, and/or a professional code of ethics to render an > honest and objective judgement regarding the CA". This reminds me of > Ian's comments about trusting internal evaluations of CAs in cases > where there's some law or regulation (e.g., Sarbanes-Oxley) that might > cover such evaluations.
> I don't know whether to tolerate this ambiguity or eliminate it (i.e., > by extending the "not ... affiliated with the CA" requirement to cover > all cases). I welcome your thoughts on this issue and on the other > changes proposed above.
One way to deal with the "paid independent third party" approach is to simply have the party(s) declare how much was paid. This will probably raise some eyebrows, but I can't think why this wouldn't work.
The amount of money that we are talking about is actually a very useful number. Here's why. In the accounting world of audits, a basic standard audit costs a basic standard amount of money. But, if the audit is "difficult" then the money goes up. If the audit is "dodgy", add more money.
As audits are a competitive business, what happens is that one can always find an audit, but one finds that the price can be high. Now, obviously all parties cover this up with words and bluster, but simple economics rules - if you want an auditor to deliver you an audit when it isn't prudent to do so, expect to make a non-trivial contribution to the partner's future well being.
So one thing you could do is to simply state that the fee charged for all audits is public. (I'm going to skip over the obvious aspects and complaints for now). Then, when David Ross for example does his sterling work on CACert and asks for $200 to cover some expensese and some paper costs, he simply lists that, and we can look at that as a signal - that's a figure to cover some expenses.
OTOH, if DodgyDan listed that he got $20,000 for the same job, eyebrows would rapidly ascend to orbit, and we'd treat that as a suspicious signal. DodgyDan could then be better off lying, and saying it was for $200. But even then we are better off, as information that is supposed to be public has a way of leaking out...
(Having said all that, this is FOOD FOR THOUGHT... I recognise that no professional auditor is going to like this approach. To which I'd strongly suggest you ask why! But that's another argument for another day ;)
Ian G wrote: > OTOH, if DodgyDan listed that he got $20,000 for the same > job, eyebrows would rapidly ascend to orbit, and we'd treat > that as a suspicious signal. DodgyDan could then be better > off lying, and saying it was for $200. But even then we are > better off, as information that is supposed to be public has > a way of leaking out...
Actually you forgot to factor airfares from the US to Australia in, which cost a little more then that last time I checked :)
In any case we don't have a problem, since our financial records are public record in any case due to laws/rules we're incorporated under...
> I know everyone has been been distracted by the punycode controversy > (my condensed opinion: yes, registrars *should* do something about it, > yes, CAs *could* do something about it, but regardless of what they do > we *have to* do something about it),
As long as all are agreed on the last part, the former two parts (registrars, CAs) is a matter for debate outside Mozilla's strict and immediate interests.
I'm curious on one point - I couldn't find a bug filed under shmoo, and there isn't any notice on the /security/ page. m.security groups is likewise silent. Only Gervase to my knowledge has indicated he's working on a proposal (and I'm not even sure if he is a developer...).
Well, I'm curious if the security forum is active on this? Or is this an artifact of the secrecy thing you mentioned last week?
Ian G wrote: > One way to deal with the "paid independent third party" > approach is to simply have the party(s) declare how much > was paid. This will probably raise some eyebrows, but I > can't think why this wouldn't work.
Well, I don't think E&Y or KPMG are going to be willing to send me their invoices, but I think this approach is worth considering for CAs that take the "plan B" approach and use an evaluator that's not an accounting firm, government-authorized test lab, etc. This also addresses the question of how we'd determine things like whether expenses paid to a volunteer evaluator were "necessary and reasonable".
You didn't suggest possible language for the next draft, but here's some:
8. By "independent third party" we mean a person or other entity who is not affiliated with the CA as an employee or director, and for whom at least one of the following statements is true:
* the party is not financially compensated by the CA; * the nature and amount of the party's financial compensation by the CA is fully and publicly disclosed; or * the party is bound by law, regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA.
Thoughts?
Frank
P.S. Note that I will probably publish draft 9 tomorrow; I have one other significant change I am considering, as noted in my next message.
Frank Hecker wrote: > You didn't suggest possible language for the next draft, but here's some:
Right, I though I was so far out on a limb already that I'd better stop sawing ;)
> 8. By "independent third party" we mean a person or other entity who > is not affiliated with the CA as an employee or director, and for > whom at least one of the following statements is true:
> * the party is not financially compensated by the CA; > * the nature and amount of the party's financial compensation by > the CA is fully and publicly disclosed; or > * the party is bound by law, regulation, and/or a professional code > of ethics to render an honest and objective judgement regarding > the CA.
I think that works for now. This is a "new" area, and I'm fighting the temptation to dive in and really get it right, because I suspect that we are well past the diminishing returns at this point, and the future experiences will be worth much more than anything we can create in these laboratory settings.
(David, do you have any thoughts, being rather closer to this coalface?)
|
