On 20/11/14 07:27, Peter Gutmann wrote: > That was my immediate reaction as well. CACert has been given the runaround > for more than just four years, it's been more than a decade, and yet as soon > as a Mozilla-sponsored CA turns up it's in. > > Perhaps someone from Mozilla would be able to explain what the difference is > that gets Let's Encrypt immediate acceptance while CACert has been left out in > the cold for more than a decade. > > [CC'd to the relevant Mozilla list]
As others have said, your perception of the situation is at odds with reality. Where has anyone said that Let's Encrypt gets "immediate acceptance"? Also, CACert withdrew their application some years ago and have not engaged with Mozilla since; it's entirely unfair to call that "us giving CACert the runaround". Mozilla, as the Let's Encrypt announcement shows, is a supporter of wider access to secure communications and certificate services. The idea that we would have something against CACert is a ridiculous one. Way back when, we even did some creative thinking about how we could make audit criteria appropriate to CAcert, and even today we staunchly maintain our freedom to set alternative audit criteria to WebTrust and ETSI should that ever be necessary, despite pressure to just allow what the BRs allow and no more. That option is potentially waiting for CACert should they ever re-apply with a root which has a known and trackable provenance and history since creation (which, if memory serves - and it may not - was one of the big potential problems last time). Looking from the outside (where I am), Let's Encrypt have taken an admirably pragmatic approach to securing the goal of free certificates for all - partnering with an existing CA to get instant ubiquity and avoid the chicken/egg problem, and building recognition for their own root over time. I'm proud that Mozilla is part of what they are doing. But they aren't going to get special treatment when they do apply (which has not yet happened). Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
