Policy-Discussion

[Ian G <iang AT cacert.org>]

On 15/10/2009 20:07, Brian McCullough wrote:

> We have talked about extending the "TVerify" Policy, or perhaps more properly, a "Third Party 
> Certificate" Policy, to include either different policies for various CAs or perhaps a list of CAs that can be 
> treated in the same manner.  The discussion tends to revolve around the question, and this came up first for Thawte ( 
> Verisign ) themselves, of how much does the CA validate and verify their customer, and then, how much we can depend 
> on that validation.  Not being able to enter into "cross-validation" agreements with most of these entities 
> causes us to have to ask how much we "trust" others in general, and how much faith we can place in their 
> processes without being able to include those processes in our own Audit.


Right.  Just to add to that; it is not out of the question that we rely 
on the results of other CAs without an agreement and without an audit. 
For years we have been doing exactly that with passports, etc, issued by 
various government "CAs" a.k.a. passport issuing offices.  We haven't 
got an agreement with them nor have we audited them.

What this really means is.... we have to do the due diligence over these 
other "CAs".  And someone has to make a case that their results are 
worth X to us.

I wouldn't expect a rush of CAs being added;  probably just one or two, 
the ones most applicable to the community.

A couple of things you might want to think about:

  * has an audit according to Mozilla's policy
  * issues IV certs under Mozilla's definition
  * has passed Mozilla's review

iang