Draft 12 of CA certificate policy
Frank Hecker
find it at the usual place:
http://www.hecker.org/mozilla/ca-certificate-policy
(A blog post will follow shortly.)
The two major changes in the draft are as outlined in my previous post:
* I provided examples in clause 4 of certificate-related problems that
might cause us to reject a CA's application for inclusion or to consider
removing an already-included CA certificate. Note that I accepted Ram's
suggestion to mention cases where there are CDP or OSCP AIA extensions
in issued certs but no working CRL or OSCP service.
* I added a new clause 13 that recommends CA consider using separate
root or intermediate CAs when issuing certificates according to
different policies.
See the attached file for complete diffs from draft 11. Note that I also
made two other non-substantive changes, one to the initial paragraph to
focus on Firefox and Thunderbird as the main products of interest and
one to fix an HTML validation error.
As usual, comments are welcome and encouraged. At this point I think
that the policy is basically in a state to be submitted to the Mozilla
Foundation for approval as a 1.0 policy, and I plan to do do absent any
strong objections. I could always mess about with the policy some more,
but I don't believe that at this time there's a consensus to make
additional substantive changes beyond what I've already made. (As I've
said before, we can always revisit the policy later if/when events
warrant doing so.)
Frank
--
Frank Hecker
hec...@hecker.org
Ian G
> http://www.hecker.org/mozilla/ca-certificate-policy
> ... At this point I think
> that the policy is basically in a state to be submitted to the Mozilla
> Foundation for approval as a 1.0 policy, and I plan to do do absent any
> strong objections.
Yes, do so.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/