On 9/18/15 5:48 AM, Peter Kurrasch wrote:
Hi Kathleen,
This summary looks pretty good. I think you could add the point raised by Man
Ho which essentially asks the question of who should/can/will evaluate the
trustworthiness of root certs. There are pros and cons either way on that one.
One last comment I'll make is that, among other things, I've been approaching
this from the standpoint of Mozilla's commitment to openness, open-souce, and
security. Perhaps that's a bit rosy but I'll offer it up for whatever it may be
worth.
I'm not sure what your last comment means. Do you think that Mozilla's
commitment to openness, open-source, and security is an argument against
removing the code signing trust bit?
Given the response so far and the summary of this discussion, it is
looking to me like the arguments for this proposal to remove the code
signing trust bit outweigh the arguments against.
This discussion is still open, so if any of you believe I have missed
anything, please speak up soon.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
