Looking for help in processing CA inclusion requests

0 views
Skip to first unread message

Frank Hecker

unread,
May 9, 2008, 10:50:51 AM5/9/08
to mozilla's crypto code discussion list
As I think I've mentioned previously, we've got a big backlog of CA
inclusion requests, and I am not going to be able to clear it all by
myself. It turns out that a major bottleneck in processing CA requests
is the time and effort needed to gather basic information about CAs:
getting copies of root certificates, figuring out what types of
certificates CAs actually issue, tracking down CPS sections dealing with
subscriber verification, determining what subordinate CAs exist and how
they're controlled, verifying the authenticity of audit-related
documents, untangling any cross-signing arrangements a CA might have
entered into, getting URLs for example sites using certs issued by the
CA, ascertaining the status of OCSP support, and so on.

It's only when we have all this information that we can do a reasonable
job of evaluating CAs to determine if they comply with our policy and
don't have technical issues that would cause problems with our software.
In fact, it's probably fair to say that once we obtain complete and
accurate information for a given CA we've probably done 80% of the work
needed to properly evaluate it.

I'm therefore looking for people who are willing and able to help
specifically with the information-gathering phase of processing CA
requests. This does *not* mean that I'm not interested in having more
people participate in the CA evaluation phase (e.g., as have people like
Eddy, Nelson, and others). It's just that, as noted above, I think more
effort put into the information-gathering phase will pay off in terms of
making evaluations easier.

If you're interested in helping with this on a volunteer basis, great,
I'd be happy to talk with you and explain what needs doing. However note
that I'm also willing to talk with people interested in doing this on a
part-time consulting contract. The major difference is that if you want
to do it as a volunteer then you don't necessarily have to know lots
about CAs right now (I'm willing to help you get started), and you can
work on this whenever you have spare time and feel like doing it. On the
other hand, if you want to do this as a paid consultant then I expect
you to have relevant experience and knowledge in the CA/PKI space and to
be able to commit to a minimum number of hours per week.

Note also that this is not an either/or situation: Because we have lots
of CA requests to process and they can be done independently, we could
in theory have multiple people working on this. (I've already talked to
two people who've expressed interest in doing it as consultants.)
However I have a limited budget for any consulting work, so I'm going to
be somewhat conservative in terms of hiring consultants,

If you're interested in helping with this, please contact me directly
via email. If you're interested in doing this on a consulting basis,
please include information on relevant experience (e.g., a CV/resume),
your typical rates, and the minimum and maximum hours per week or month
you'd want to work.

Frank

--
Frank Hecker
hec...@mozillafoundation.org

Frank Hecker

unread,
May 20, 2008, 1:55:28 PM5/20/08
to mozilla's crypto code discussion list
Frank Hecker wrote:
> I'm therefore looking for people who are willing and able to help
> specifically with the information-gathering phase of processing CA
> requests.

Note that I found someone to help with this. Kathleen Wilson will be
assisting with information gathering on CA-related bugs; Kathleen used
to work for VeriSign, and knows her way around a CPS. I've asked
Kathleen to start with various outstanding EV-related requests and make
sure we have all the necessary information to proceed with an
evaluation. I'll take the lead when we get to the evaluation and public
comment period, as before.

More later as I start to hand over various bugs to Kathleen.

Nelson B Bolyard

unread,
May 20, 2008, 2:24:45 PM5/20/08
to mozilla's crypto code discussion list
Frank Hecker wrote, On 2008-05-20 10:55:

> Note that I found someone to help with this. Kathleen Wilson will be
> assisting with information gathering on CA-related bugs; Kathleen used
> to work for VeriSign, and knows her way around a CPS. I've asked
> Kathleen to start with various outstanding EV-related requests and make
> sure we have all the necessary information to proceed with an
> evaluation. I'll take the lead when we get to the evaluation and public
> comment period, as before.
>
> More later as I start to hand over various bugs to Kathleen.

That's awesome good news!

/Nelson

Eddy Nigg (StartCom Ltd.)

unread,
May 20, 2008, 2:25:41 PM5/20/08
to mozilla's crypto code discussion list
Frank Hecker:
Frank Hecker wrote:
  
I'm therefore looking for people who are willing and able to help 
specifically with the information-gathering phase of processing CA 
requests.
    
Note that I found someone to help with this. Kathleen Wilson will be 
assisting with information gathering on CA-related bugs; Kathleen used 
to work for VeriSign, and knows her way around a CPS. I've asked 
Kathleen to start with various outstanding EV-related requests and make 
sure we have all the necessary information to proceed with an 
evaluation. I'll take the lead when we get to the evaluation and public 
comment period, as before.

Excellent! And welcome Kathleen!


Regards 
 
Signer:  Eddy Nigg, StartCom Ltd.
Jabber:  star...@startcom.org
Blog:  Join the Revolution!
Phone:  +1.213.341.0390
 

Reply all
Reply to author
Forward
0 new messages