Okay, so if a CA doesn't want to cause a service disruption for their customers when this happens, they will implement CT. You can remove their certificate and make a press release saying you wouldn't have distrusted their old certificates if they implemented CT. I'm sure CT will jump to the top of the priority lists of most CAs. Browser / OS vendors really do hold all of the cards here. The CAs have to beg for inclusion and go to extreme lengths to prove trust if you feel like requiring it, but you don't.
I don't see how it's anything but a technical issue, and you're more than up to solving it. That's not a zero tolerance policy. It's an example of compromise where in exchange for more lenience, the CAs have to do something. You have to demonstrate that they have something to gain by showing that the policies have teeth though.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
