I’ve posted a new draft 10 of the proposed Mozilla CA certificate policy. The only substantive changes are as follows:
I changed the language on disclosure of financial compensation (i.e., of independent evaluators by CAs) to read “publicly disclose” as opposed to “fully and publicly disclose”; in other words, I dropped the word “fully.”
I added a section discussing revision of the policy, and noting that such revision would be done only after public discussions (similar to what we’re doing now).
My motivation for the first change above was to make it clear that we don’t want and need to see a fully-itemized disclosure statement (e.g., “$5 for lunch at McDonald’s” :-), we just need a statement about the overall compensation (e.g., “$2,000 for expenses incurred during the evaluation”).
(For those coming late to the discussion, this requirement is really intended for the case of independent evaluators who don’t fit the traditional mold of being accountants or goverment-authorized test labs, e.g., they might be volunteers being reimbursed for expenses.)
OK, now for the hard part…
At this point I face a decision: to try to revise this policy further, or to go ahead with the current draft as a reasonable 1.0 policy, with further work pushed to a 1.1 version.
My personal opinion is that the current draft does a good job of codifying and clarifying the current practices that I’ve been following, as well as allowing for us to incorporate new practices like the use of volunteer evaluators. On that basis I would be comfortable submitting this draft (or a very slightly tweaked version of it) to the Mozilla Foundation for consideration as the official 1.0 policy.
However, this draft does not address some of the larger issues that have been raised. In particular, as noted by Nelson Bolyard among others, the proposed Mozilla Foundation policy as written requires that CAs be evaluated to confirm that their practices match their own policies and assertions (e.g., as expressed in the CPS, CP, etc. ); the proposed policy does not go beyond that to attempt to put requirements on those CA policies, for example, to require particular assurance levels for CAs issuing particular types of certificates.
Should we attempt to change the policy to reflect these larger issues? For my part I am predisposed to adopting the current draft as a 1.0 policy, partly for the selfish reason that it’s less work for me :-) More seriously, I do think that the proposed draft is consistent with the current state of affairs with regard to browsers and CAs, and is a good base for future policies that might be further-reaching.
I’m prepared to modify my opinion in the face of compelling arguments to the contrary. However I am concerned about getting bogged down in discussions about the right way to approach more significant changes to the policy, and not reaching consensus on actual policy language. See my previous response to Nelson for a more detailed discussions of my concerns around the idea of expanding the requirements on CAs to include minimal assurance levels.
I’m also concerned about adopting a policy that implies or requires underlying implementation changes or (even worse) changes in the CA business as a whole, as I’ve previously noted in point 12 of the metapolicy. (For example, some proposals imply or require additional browser UI or other changes, for example to display information to the user about the particular CA “class” or to recognize hypothetical standardized policy OIDs.)
It’s not that I don’t think these suggestions are good ideas; it’s just that I think additional experimentation and investigation is needed in order to determine if these suggestions are doable and worth doing, and I don’t necessarily want to wait on the results of that work prior to putting an initial 1.0 policy in place.
As usual, I welcome your comments on this issue, and in particular your opinions as to whether I should take this draft forward to the Mozilla Foundation for consideration as a 1.0 policy. (You can post comments to the relevant thread in n.p.m.crypto.) If you do have suggestions for changes please submit the actual language you’d like to see in the policy.