On Tuesday, 11 October 2016 01:04:14 UTC+1, Kathleen Wilson wrote:
> Why do we need a minimum of 1 year?
> What purpose does that serve?
> If they meet all our requirements earlier, why couldn't we discuss it earlier
> than 1 year?
The exact period of one year is of course arbitrary. However I believe there
are two useful things achieved by setting this period a little longer than the
1. This ensures the Certificate Authority's new management are able to plan out
their activities over a reasonable period without pressure to bring things
forward in order to meet commercial goals. This is the foundation of (we hope)
a long-lived successful CA, it's not about rushing a minimum viable product to
market with the plan to fix any deficiencies later. An external organisation
like Mozilla is better placed to give management this cover than any internal
promise from QiHoo 360 although if the arbitrary period is reasonable I hope
QiHoo 360 will accept that it's ultimately to everyone's benefit to have this.
2. In this particular case we get to see QiHoo 360 wind down the existing CA
safely and carefully in parallel with the new CA being founded. This is another
opportunity to demonstrate good will and competence, including reaching out to
existing subscribers to inform them of what happened, what Mozilla and QiHoo
360 are doing about it, and what steps they need to take to retain trust from
third parties. In the event that during wind-down QiHoo 360 find other issues
not previously detected by Mozilla, it's also a chance to act transparently and
disclose those, for example if an undisclosed WoSign intermediate CA from 2015
is found on a smart card in somebody's desk drawer, reporting that rather than
just quietly incinerating the smart card helps to demonstrate the organisation
has learned to tell us about problems, not hide them. Winding down may take a
while to complete, and it would be a shame to rush to instantiate a new CA
without seeing the old one decommissioned properly.
dev-security-policy mailing list