On 05/10/16 05:18, Anand Kumria wrote: > I think that punishing the auditor here but geographically > constraining it is the wrong message to send. > > Why not simply distrust all audits carried out by Ernst & Young?
As I understand it, global branded auditors are, in fact, made up of a number of local firms. We think that this is the correct scope for this ban at the present time. However, if future problems arise with E&Y audits done by other countries' E&Y teams, that might be the time to consider a ban of wider scope. > - anyone issuing certificates for .cn, .hk or .mo domain *MUST* > submit those certificate to the CT server set (with similar > constraints as you require for WoSign/StartCom) > > - constrain certificates issued to .cn, .hk, .mo domains to be valid > for (at most) 2 years. > > The rationale for those additional suggestions is that this might > preclude any organisation from being pressured into issuing > certificates with fraudulent information within them and, even if > that were to occur - and not be detected for a while - you have also > constrained the maximum exposure window. "The maximum exposure is 2 years" is not much of a constraint. Additionally, although you don't say who you are talking about, there is not necessarily an overlap between the sort of certs such pressure may relate to, and the TLDs you mention. Many important sites use .com, for example. And the risk of a compelled certificate creation attack is nothing to do with the issues at WoSign. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
