On 01/10/15 02:43, Brian Smith wrote: > Perhaps nobody's is, and the whole idea of using publicly-trusted CAs for > code signing and email certs is flawed and so nobody should do this.
I think we should divide code-signing and email here. I can see how one might make an argument that using Mozilla's list for code-signing is not a good idea; a vendor trusting code-signing certs on their platform should choose which CAs they trust themselves. But if there is no widely-trusted set of email roots, what will that do for S/MIME interoperability? > I wish you would have led with these completely ridiculous suggestion > instead of the only-slightly-less ridiculous stuff that preceded it. This kind of language, while it does follow the rule of criticising ideas rather than people, is not particularly constructive. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
