> Thoughts? I think it's a good policy, but like the current policies it cannot really be enforced because there is no way to validate compliance.
These rules would be a lot more meaningful if any new additions to the trust store were required to have Certificate Transparency implemented for the sake of auditing, along with a deadline for other CAs to put it in place. CT would have meant this was trivially caught *much* earlier by security researchers. Private audits are clearly not working.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
