This is a tentative step to
- document where Mozilla's CA area is at with disputes
- set the scene for the future.
The first step is to document where we are now, with little emphasis on suggestions for change. Originally [on dev.tech.crypto].
What is a dispute?
A dispute is anything where a stakeholder complains about a thing within the broader CA area, and, seeks a change, one that is not easily agreed by other stakeholders.
This is very broad, and deliberately so. We are defining a term that might be considered to be "loaded" by other normal uses.
Filing a Dispute
To file a dispute, file a bug in bugzilla and mark it as already described in CA:How_to_apply. (With mods: Severity: as appropriate.)
The bug text should list who the dispute is filed against, and what remedy is sought.
How Disputes are Resolved
By default, this is currently a Mozilla action & responsibility. Reverse-engineering and referring, I would suggest this as a teaser:
- The CA certificate module owner at Mozilla foundation is responsible. Ref, the [policy], pt 15. The module owner may designate another person to investigate and rule.
- The dispute is investigated.
- The dispute is ruled upon and the ruling is listed in the bug report above.
- Many disputes will be dealt with by communication, and no ruling will be required. This will create a default "closed, no action" ruling.
Finality and Appeal
What happens if we disagree with the decision of the module owner? In [policy], it says "CAs or others objecting to a particular decision may appeal to mozilla.org staff, who will make a final decision." Ref, policy, pt 15.
I would wonder about this; google suggests that "staff" is as listed here: http://www.mozilla.org/about/staff but that seems out of date. Also, due to the absence of this forum in the public eye, I doubt it musters the credibility we need in dispute review where the legal and contractual significance is high. E.g., is there any way we can review the decisions they made in the past?
There are several possibilities:
(i) Ruling is final. (ii) Mozilla.org staff, policy, pt 15. (iii) Review by board of Mozilla Foundation. (iv) Review by some independent party. (v) Review by forum at law: courts, or Arbitrator.
Personally, I would plumb for (iii) and suggest the Mozo Foundation board as the next step. It is expensive, but available. The directors already have fiduciary responsibility, and can thus deal with the significance. It is also aligned with the review of the manager concerned, the policy and the general contractual issues.
Examples of Disputes
It might help to list some examples of disputes:
- discovery of flaw(s) in process of a CA, with remedy of dropped root.
- weakness in software, with remedy of fix or adjustment to code. E.g., dropping of MD5
- absence of important check in criteria for audit, with remedy of change to policy to add the check as a clause in the policy