On Thursday, April 21, 2016 at 3:35:55 AM UTC-7, Ryan Sleevi wrote: > On Wednesday, April 20, 2016 at 5:53:28 PM UTC-7, Matt Palmer wrote: > > It seems fairly dysfunctional if a single member of the CA/B Forum can > > prevent a ballot from going ahead. > > To be clear: That is not the same as what I said. No single member can > prevent a ballot going forward - but it can be enough to discourage someone > from proposing/progressing on a ballot due to not feeling strongly enough. > > You can see an original proposal raised on > https://cabforum.org/pipermail/public/2016-March/006933.html (which I > referred to earlier). There was interested in proposing a ballot, but that > interest waned with Symantec's objections.
I wouldn't say I had objections; I merely pointed out that the BRs, as written, prohibit a type of wildcard that Microsoft officially allows in TLS certificates (https://support.microsoft.com/en-us/kb/258858), specifically, w*.example.com and ww*.example.com Ideally, CAs and/or Microsoft would have noticed that long ago and brought it up to be resolved before it was encoded in the BRs. So I admit that we were negligent in not raising the issue sooner, but I won't take full blame for it, because other CAs also issued such certificates and Microsoft could have disclosed the conflict. Microsoft has now expressed their opinion that they need to allow them (https://cabforum.org/pipermail/public/2016-April/007335.html). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
