On Mon, May 18, 2015 at 02:45:26PM +0100, Gervase Markham wrote: > On 17/05/15 23:28, Peter Bowen wrote: > > This would seem to be a fairly simple rule. > > Indeed. However, this has not addressed my question about whether the > security analysis for government CAs is different to that of commercial > CAs. :-)
Short answer: no. Both a commercial CA and a government CA has the same ability to damage the Internet PKI, and thus they should be held to the same standards. - Matt -- Some people are like slinkies. They don't actually serve any real purpose, but they still make you smile when you push them down the stairs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy