On 26/05/15 22:26, Kathleen Wilson wrote: > But this raises the question of whether their re-application can be for > the same (currently-included) root certificates, or if it has to be for > a new root certificate. In other words, should we consider taking the > stance that we will require a new root certificate for their > re-application? (i.e. the restrictions would remain in place for the > currently-included roots.)
I see no security advantage in requiring new roots. Doing so would be an inconvenience (one might say "punishment") to CNNIC, and someone might want to argue for it on those grounds, but I can't see how requiring new roots changes any security evaluation, because there has been no suggestion that their roots are either a) technically unsound, or b) compromised. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy