Perhaps I chose my words poorly because my intention actually was to avoid having to pass judgment at all. Instead of saying to a CA "we don't trust you enough, please constrain" I was hoping for something along the lines of "everybody is asked to constrain to make the internet safer for everyone".
In terms of who gets to issue for .com, I wouldn't impose a limit of who can do it, just that you have to tell us you're doing it. If a intermediate were to be constrained to .com, .net, and .org and nothing else, I would be fine with that. That would actually be quite an accomplishment if we could get every CA to just agree to that much. Original Message From: Gervase Markham Sent: Wednesday, March 25, 2015 6:54 AM To: [email protected] Subject: Re: Name Constraints On 24/03/15 21:12, Peter Kurrasch wrote: > As to who should be forced to constrain, this is controversial. I would > argue that everyone should be forced, but that has certain problems. One > can argue that only government-run and certain other CA's should be > forced but then we are put in the position of having to decide > objectively which ones are more trustworthy than others. That can be a > tricky path to navigate and doesn't change the underlying threat: that > any CA can be a victim of outright attack, sloppy operations, deliberate > bad acts, and even simple mistakes. Forcing everyone to constrain does not solve this problem of having to decide who is more trustworthy. It just transfers it. All CAs want to issue for .com. Which ones do you allow to do so? (Let's say for the sake of argument that they have all already done so in the past.) Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
