On 24/03/15 21:12, Peter Kurrasch wrote: > As to who should be forced to constrain, this is controversial. I would > argue that everyone should be forced, but that has certain problems. One > can argue that only government-run and certain other CA's should be > forced but then we are put in the position of having to decide > objectively which ones are more trustworthy than others. That can be a > tricky path to navigate and doesn't change the underlying threat: that > any CA can be a victim of outright attack, sloppy operations, deliberate > bad acts, and even simple mistakes.
Forcing everyone to constrain does not solve this problem of having to decide who is more trustworthy. It just transfers it. All CAs want to issue for .com. Which ones do you allow to do so? (Let's say for the sake of argument that they have all already done so in the past.) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
