Comment 209 for bug 28048

(In reply to comment #161)
> Has CACert indicated that they aren't seeking approval at the moment. The
> previous post was by an auditor independant of CACert.

...who seems to be the only person capable of producing the audit documents. Unless CACert has a secret auditor no-one knows about who has nearly finished their audit?

> Also - should CAs be required to seek approval - is there a problem with users
> requesting that CAs be added if the CA does not seek this approval? Shouldn't
> users of CACert and mozilla products be able to request the approval of the
> root cert?

No. We require that the CA request approval themselves. This is because the inclusion process always requires some interaction with the CA, and so they need to be on board to provide it and answer questions. It also means we can be certain that we do not set a trust bit that the CA would not want set.

> I haven't seen any concerns raised with how CACert issues certs or verifies
> identity,

Perhaps because I have not examined their practices in this regard. It would be highly wrong to conclude that, because CACert has not undergone formal analysis by the MoFo, it would therefore pass such analysis!

> If
> CACert can't meet mozilla's requirements, perhaps mozilla ought to help them
> out a bit, or start a free certificate authority of their own?

I don't think CACert has stated that they can't meet the Mozilla requirements. And as far as I am aware, they haven't asked for our help either.

Bottom line: this bug has been open nearly four years, and all the information needed has not yet been presented. I consider four years more than "a reasonable time", and so have closed this bug. When and if CACert would like to present the information necessary, they can open another bug and do so.

Gerv