On Mon, May 16, 2016 at 09:20:40AM -0700, Kathleen Wilson wrote: > In regards to Mozilla policy, maybe we should consider adding text about > Mozilla's expectations for CAs when they find out that a TLS/SSL > certificate that they issued is being used to do bad things.
Mozilla should expect that CAs will do nothing when they find out that a TLS/SSL certificate that they issued is being used to do "bad things" (for values of "bad things" that do not subvert the PKI ecosystem itself). The purpose of a CA is to attest as to *identity*, not *activity*. We have other, more effective, mechanisms for dealing with bad actors. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
