I have published a new draft 5 of the proposed Mozilla CA certificate policy. For detailed line-by-line changes from the previous draft please see my posting in the netscape.public.mozilla.crypto newsgroup (aka the mozilla-crypto mailing list).
(Note that I have not yet updated the accompanying FAQ, but will try to do so in the next few days. Unfortunately for various reasons I will have less free time during the holiday season than I would normally, so I can’t commit to getting this done right away.)
This new draft embodies the “WebTrust or equivalent” policy that I’ve been using recently (and which is similar to Microsoft’s policy), and provides at least a high-level definition of what I mean by “WebTrust-equivalent,” based on my previous comments on this point in n.p.m.crypto. (In this regard I go beyond the Microsoft policy; Microsoft doesn’t provide any details on how it actually decides whether a CA’s “third-party attestation” is equivalent to a WebTrust for CAs audit or not, but I think a public project like Mozilla has to provide more openness and clarity regarding the CA selection process.)
Please provide comments and suggestions on the policy in n.p.m.crypto. Based on those comments I will try to make a final draft that I can submit to the Mozilla Foundation for approval.
Note that I had the most trouble coming up with suitable language for paragraph 5.3. In general the issue is that in the absence of a WebTrust-authorized auditor doing the work I think the audit process would have to be more open than is normally the case with WebTrust audits, in order for myself and others to have confidence in the results. This might include having public information about the audit methodology, public information about the qualifications of the auditor(s), and potentially more details about the actual audit results than are published in a typical WebTrust report.