On Thu, Oct 15, 2015 at 11:24 AM, David E. Ross <[email protected]> wrote: > On 10/15/2015 5:27 AM, Kai Engert wrote [in part]: >> >> (a) Only grant the S/MIME trust bit if a CA has been granted the SSL/TLS >> trust bit already. >> >> If Mozilla decides to remove a SSL/TLS trust bit, the S/MIME trust bit (and >> potentiall all other trust bits) for that CA will get removed, too. >> >> This eliminates the need to work on any CAs that are for the S/MIME purpose, >> only. >> >> >> (b) Only CAs that explicitly state they'd like to be granted the S/MIME >> trust bit might potentially get it. >> >> This avoids the likelyhood that any CA's root gets accidentally used for the >> non >> -SSL/TLS purpose. > > This might be okay if applied to certification authorities but not to > individual root certificates. We should not block the S/MIME trust bit > when a certification authority chooses to have separate root > certificates for TLS and S/MIME. > > -- > David E. Ross
What is the problem with the current situation? Changing process takes time and effort. Does changing the process really save any effort over leaving things as they are? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
