I’ve created a new draft 8 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows:
I changed references to “users” to clarify that we’re referring to users of the products distributed by the Mozilla Foundation through mozilla.org.
I added a requirement for CA disclosure of business practices in the form of a Certification Practice Statement. Besides being a good idea in general, it’s typically the CPS that is referenced in auditor/evaluator reports, so it’s needed to provide a more complete picture of the CA’s conformance to whatever criteria are used to evaluate its operations. (For examples of Certification Practice Statements see my draft Mozilla CA certificate list.)
I removed the explicit reference to knowledge of X509v3 in the qualifications for an independent and qualified third party. I consider it implicit in the reference to “related standards” and I’m not sure how useful it is to single out X509v3 in this context.
I explicitly allowed for the possibility of the Mozilla Foundation doing its own CA evaluations, as requested by Zach Lipton and others. Note that I worded this clause the way I did because in practice such evaluations—if ever done—would almost certainly be done not by actual Mozilla Foundation employees but rather by someone else designated to act on their behalf.
I added a note that we will reject CA requests if we don’t get the needed information in a timely manner. In part this is to motivate me to actually resolve requests with a “yes” or “no” answer, as opposed to letting them sit in Bugzilla without action. (I’ll definitely plead guilty to this, and I apologize to the CAs for which it’s happened. I’m going to try this month to go through all the CA-related bug reports and resolve them one way or another.)
As always I welcome comments, criticisms, and suggestions for changes; thanks to those who’ve commented thus far. (You can post comments to the relevant thread in n.p.m.crypto.) If you do have suggestions for changes please submit the actual language you’d like to see in the policy.