On 18/03/15 20:20, Daniel Micay wrote: > The trust store policy could be changed to maintain a different level of > accountability based on prevalence of certificates signed with the root > certificate, but that's not the case right now. I don't think it should > be taken into account in these decisions. Doing otherwise would be a > concession that large CAs aren't going to be held accountable, and > taking away that risk also removes that incentive to follow the rules.
It would be simply wrong to write that we don't care about compatibility, because we do. That doesn't mean we won't take action, but it might mean we took different action. For example, in this sort of case, if this root was popular, we might make extra engineering effort to write a date-based cutoff into the code, preventing them from issuing new certs but keeping existing ones working. But that seems unnecessary given the data supplied by Richard. Anyway... I agree with the immediate removal. I am sure Kathleen has been more than patient with them. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
