I’ve created a new draft 9 of the proposed Mozilla CA certificate policy. The main substantive changes are as follows:
I extended the policy’s requirements to cover all CAs, not just new CAs. This puts existing CAs on notice that in the future we can (and I hope will) go back through the list of CA certificates already included in Mozilla-related products and decide whether or not particular CA certificates should continue to be included.
I changed the phrase “independent and qualified third party” to “competent independent party,” because it was less wordy and better captured my intent. (I stole this phrase from the ETSI criteria mentioned below,)
I added ETSI TS 101 456 and ETSI TS 102 042 as acceptable criteria, for a number of reasons:
The criteria in these two standards are comparable to the criteria in the ANSI X9.79 and WebTrust documents already considered as acceptable.
These two standards were created for use in the EU, and ETSI TS 101 456 in particular is (or likely will be) referenced in national digital signature laws of EU member states. This is important since the majority of the new CAs that have been applying for inclusion are located in the EU, and many of them have been certified for compliance with their respective nations’ digital signature laws.
Unlike ANSI X9.79 (which costs USD 50) these two standards can be downloaded at no charge. (However ETSI does require that you register and provide a name and email address.)
Unlike the WebTrust criteria these two standards do not presume the use of authorized accounting firms as evaluators.
I changed the definition of “competent party” to delete “reputation for” in reference to “honesty and objectivity,” since the previous language was redundant.
I changed the definition of “independent party” to include a requirement for disclosure of financial compensation in certain cases. This is intended to cover the case of a volunteer evaluator who is reimbursed by a CA for expenses incurred during an evaluation; the previous language prohibited any such financial compensation, no matter how small. I believe that such compensation is acceptable if it is disclosed, so that we can then determine whether or not the nature and amount of the compensation is such that it would cause us to question the objectivity of the evaluator.
As always I welcome comments, criticisms, and suggestions for changes; thanks to those who’ve commented thus far. (You can post comments to the relevant thread in n.p.m.crypto.) If you do have suggestions for changes please submit the actual language you’d like to see in the policy.
I hope that this version or the next can be designated as the final draft. Once I have a final draft, my plan is to wait a week or so, finish writing the accompanying FAQ, and then submit the draft policy to the Mozilla Foundation for consideration as the final 1.0 policy.