On 10/09/2016 14:39, Gervase Markham wrote:
On 09/09/16 11:59, Jakob Bohm wrote:
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures,
such as issuing millions (or just hundreds) of certificates without
proper validation etc.
Our position on the meaning of this clause, which (by their behaviour)
can be said to be shared by many CAs, was set out at the very beginning
of the original mail about WoSign.
Yes, I am aware of this position and suggesting the Mozilla policy be
changed to reflect its intended meaning.
This is particularly relevant as one of the CAs currently under
discussion claimed difficulty understanding that this particular rule
required them to report lesser incidents.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
