{
  "$type": "site.standard.document",
  "canonicalUrl": "https://frankhecker.com/2005/02/08/draft-8-of-mozilla-ca-certificate-policy/",
  "path": "/2005/02/08/draft-8-of-mozilla-ca-certificate-policy/",
  "publishedAt": "2005-02-08T06:47:00.000Z",
  "site": "at://did:plc:77mn3ult3b72tpvtqqva6tat/site.standard.publication/3mpfmfpu4u72n",
  "tags": [
    "mozilla"
  ],
  "textContent": "I’ve created a new [draft 8 of the proposed Mozilla CA certificate policy][draft 8].  The main substantive changes are as follows:\n\n- I changed references to “users” to clarify that we’re referring to users of the products distributed by the Mozilla Foundation through mozilla.org.\n\n- I added a requirement for CA disclosure of business practices in the form of a Certification Practice Statement.  Besides being a good idea in general, it’s typically the CPS that is referenced in auditor/evaluator reports, so it’s needed to provide a more complete picture of the CA’s conformance to whatever criteria are used to evaluate its operations.  (For examples of Certification Practice Statements see my draft [Mozilla CA certificate list][list].)\n\n- I removed the explicit reference to knowledge of X509v3 in the qualifications for an independent and qualified third party.  I consider it implicit in the reference to “related standards” and I’m not sure how useful it is to single out X509v3 in this context.\n\n- I explicitly allowed for the possibility of the Mozilla Foundation doing its own CA evaluations, as [requested by Zach Lipton][Zach] and others.  Note that I worded this clause the way I did because in practice such evaluations---if ever done---would almost certainly be done not by actual Mozilla Foundation employees but rather by someone else designated to act on their behalf.\n\n- I added a note that we will reject CA requests if we don’t get the needed information in a timely manner.  In part this is to motivate me to actually resolve requests with a “yes” or “no” answer, as opposed to letting them sit in Bugzilla without action.  (I’ll definitely plead guilty to this, and I apologize to the CAs for which it’s happened.  I’m going to try this month to go through all the CA-related bug reports and resolve them one way or another.)\n\nAs always I welcome comments, criticisms, and suggestions for changes; thanks to those who’ve commented thus far.  (You can post comments to the relevant [thread in n.p.m.crypto][thread].) If you do have suggestions for changes please submit the actual language you’d like to see in the policy.\n\n[list]: /mozilla/ca-certificate-list\n[Zach]: http://weblogs.mozillazine.org/zach/archives/007487.html\n[thread]: http://groups-beta.google.com/group/netscape.public.mozilla.crypto/browse_thread/thread/aea7dd21f79059b5\n[draft 8]: /mozilla/ca-certificate-policy",
  "title": "Draft 8 of Mozilla CA certificate policy"
}