On Friday, May 20, 2016 at 10:24:56 AM UTC-7, Andrew Ayer wrote: > In fact, Kathleen asked explicitly for what the answers "should be" in > addition to what they are, so my email was not unrelated. To be more > explicit, I think the answers to questions 3-5 should be no. The > reason why is explained in my email: requiring CAs to be responsible > for content has unintended negative effects on HTTPS adoption. I > think that causes more harm than good to Internet security.
At the risk of "me too," I think Andrew and Eric have properly captured the concerns, and agree with their conclusions. I do not believe the "should" answers should encompass or include "malware," a phrase which is necessarily subjective and subject to interpretation. For example, if a piece of software may be illegal within a local jurisdiction, does it constitute malware? If the issuing CA is in an independent jurisdiction that disagrees with that local jurisdiction, is the CA obligated to revoke such a certificate? The dangers to policing content are well known and well understood. In the promotion of more encrypted communications, we should not let the ambitions of some CAs to be Internet judges get in the way. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy