Go to Google Groups Home    netscape.public.mozilla.crypto
Re: Getting to a 1.0 CA certificate policy

Frank Hecker <hec...@hecker.org>

Nelson B wrote:
> Frank Hecker wrote:

>> A quick note before I go off to work: I'm about to conclude that
>> modifying draft 10 of the CA cert policy to mandate additional CA
>> requirements is not going to work; in the words of the IETF we have
>> neither "rough consensus" nor "working code".

> working code?  We have plenty of working code.  No additional working
> code is needed to place a "floor" on CA requirements.

Sorry, I was speaking metaphorically: By "working code" I mean a clear
set of "minimum assurance" criteria which we can use to sort CAs into
the "good -- approve" and "bad -- reject" categories.

>> The underlying idea here is that IMO it will be difficult, nay
>> impossible, to write and (especially) implement the policy without
>> making subjective decisions, either in general or about a particular CA.

> Well, it seems that after a year, we've come full circle.  IIRC, one of
> the reasons for adopting the webtrust model in the first place was to
> get mozilla OUT of the business of making subjective decisions.
> Why do you now wish to reverse that?

I'm not reversing it, I'm simply acknowledging that there will likely
always be a set of cases where subjectivity will still be called for.
Adopting WebTrust, X9.79, TS 102 042, etc., greatly reduces the number
of such criteria we have to come up with and the corresponding decisions
we have to make, so I think it was useful to include them, as opposed to
going off and coming up with our own criteria on how CAs should operate.
However there is still a grey area and I think it's going to be hard to
further reduce it.

> You wonder if this is merely a "good thing" or if there is real cause
> for concern.  There is real cause for concern.  I will write you
> privately about it.

And (without identifying the exact nature of your concern) I will repeat
what I wrote to you, which is that I find it difficult to figure out
from a policy point of view to exclude the particular case (or cases)
you're concerned about, without introducing an element of subjectivity
that amounts to saying "we don't think this is a good idea, even if
everybody else -- auditors, subscribers, relying parties, whoever --
have signed off on it".

Frank

--
Frank Hecker
hec...@hecker.org