On Thursday, April 21, 2016 at 9:15:43 AM UTC-7, Rick Andrews wrote: > On Thursday, April 21, 2016 at 3:35:55 AM UTC-7, Ryan Sleevi wrote: > > On Wednesday, April 20, 2016 at 5:53:28 PM UTC-7, Matt Palmer wrote: > > > It seems fairly dysfunctional if a single member of the CA/B Forum can > > > prevent a ballot from going ahead. > > > > To be clear: That is not the same as what I said. No single member can > > prevent a ballot going forward - but it can be enough to discourage someone > > from proposing/progressing on a ballot due to not feeling strongly enough. > > > > You can see an original proposal raised on > > https://cabforum.org/pipermail/public/2016-March/006933.html (which I > > referred to earlier). There was interested in proposing a ballot, but that > > interest waned with Symantec's objections. > > I wouldn't say I had objections; I merely pointed out that the BRs, as > written, prohibit a type of wildcard that Microsoft officially allows in TLS > certificates (https://support.microsoft.com/en-us/kb/258858), specifically, > w*.example.com and ww*.example.com Ideally, CAs and/or Microsoft would have > noticed that long ago and brought it up to be resolved before it was encoded > in the BRs. So I admit that we were negligent in not raising the issue > sooner, but I won't take full blame for it, because other CAs also issued > such certificates and Microsoft could have disclosed the conflict. Microsoft > has now expressed their opinion that they need to allow them > (https://cabforum.org/pipermail/public/2016-April/007335.html).
Apologies; I mixed up two discussions. Microsoft hasn't yet expressed their opinion in favor of this. Please ignore that last link. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
