On Sun, May 31, 2015 at 6:43 PM, Ryan Sleevi < ryan-mozdevsecpol...@sleevi.com> wrote:
> On Sat, May 30, 2015 2:47 pm, Brian Smith wrote: > > The main sticks that browsers have in enforcing their CA policies is the > > threat of removal. However, such a threat seem completely empty when > > removal means that essential government services become inaccessible and > > when the removal would likely lead to, at best, a protracted legal > battle > > with the government--perhaps in a secret court. > > Ah, but if we're worried about protracted legal battles in secret courts, > why aren't we worried about protracted legal battles in secret courts for > inclusion requests? After all, if we were to deny any applicant, who knows > what secret courts may summon the trust stores! > For what it's worth, I agree with Ryan's rebuttal. I definitely believe government CAs respond to different incentives than commercial CAs, but we can't go around living in total fear of the government doing any old irrational or power-grabbing thing. Governments, including the US government, manage political capital and resources the same way other institutions do, and we should use real precedent as a guide, rather than speculated muscle-flexing. > IIRC, in the past, we've seen CAs that lapse in compliance with Mozilla's > > CA policies and that have claimed they cannot do the work to become > > compliant again until new legislation has passed to authorize their > > budget. > > These episodes are mild examples show that government legislative > > processes > > already have a negative impact on government CAs' compliance with > > browsers' > > CA policies. > > I agree, this is the strongest argument against government CAs presented > in this thread, and I wish this, rather than the musings of secret courts > and "maybe impossibles", was the core of your argument. > > These arguments apply not just to government CAs (that may rely on > external controls for financing, such as budgets, as you mention) but also > to small commercial CAs (whose profit margins may be too thin to implement > controls). > > The response to both should be the same - removal. > Completely agree. -- Eric > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
