Update: Frank has updated the policy (v.8), which makes this much more clear. Glad to see someone actually reads what I have to say ;)
As this is a Mozilla-related blog, I feel compelled to mention Frank's great draft CA policy. Creating policy for open-source projects (which tend to naturally resist any such controls) is one of the hardest things to sucuessfully do. The CA policy does a nice job of balancing the needs of users (who could care less about open source, but need security), and the communtiy.
I think, though, it would be good if the policy made clear that the Foundation can act as the "qualified third party" for assessing a CA. As the metapolicy states, "We should retain the flexibility to forgo requiring independent auditing and substitute our own evaluation, if by doing so we can provide benefits to users while still protecting them adequately against security risks." The policy does not make it very clear what it means for the Foundation to do its own evaluation and when this will be conducted. It would be nice to see more in this area.
Posted by zach at February 6, 2005 10:48 PMA couple of quick comments: First, the current draft policy (draft 7) isn't totally synced up with the metapolicy (which is considerably older); I need to update the metapolicy to make it more current. Second, the current draft policy at least implicitly allows for the possibility of the MF (or, more general, people in the Mozilla project) to do its own evaluations (or more specifically, to be the "independent and qualified third party" signing off on evaluations). But I agree that it might be better to make that more explicit, and that's one of the changes I'm seriously considering for the next draft.
Posted by: Frank Hecker on February 7, 2005 1:42 PM