On Tuesday, 11 October 2016 01:04:14 UTC+1, Kathleen Wilson wrote: > Why do we need a minimum of 1 year? > What purpose does that serve? > If they meet all our requirements earlier, why couldn't we discuss it earlier > than 1 year?
The exact period of one year is of course arbitrary. However I believe there are two useful things achieved by setting this period a little longer than the minimum achievable 1. This ensures the Certificate Authority's new management are able to plan out their activities over a reasonable period without pressure to bring things forward in order to meet commercial goals. This is the foundation of (we hope) a long-lived successful CA, it's not about rushing a minimum viable product to market with the plan to fix any deficiencies later. An external organisation like Mozilla is better placed to give management this cover than any internal promise from QiHoo 360 although if the arbitrary period is reasonable I hope QiHoo 360 will accept that it's ultimately to everyone's benefit to have this. 2. In this particular case we get to see QiHoo 360 wind down the existing CA safely and carefully in parallel with the new CA being founded. This is another opportunity to demonstrate good will and competence, including reaching out to existing subscribers to inform them of what happened, what Mozilla and QiHoo 360 are doing about it, and what steps they need to take to retain trust from third parties. In the event that during wind-down QiHoo 360 find other issues not previously detected by Mozilla, it's also a chance to act transparently and disclose those, for example if an undisclosed WoSign intermediate CA from 2015 is found on a smart card in somebody's desk drawer, reporting that rather than just quietly incinerating the smart card helps to demonstrate the organisation has learned to tell us about problems, not hide them. Winding down may take a while to complete, and it would be a shame to rush to instantiate a new CA without seeing the old one decommissioned properly. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
