On Tuesday, 11 October 2016 01:04:14 UTC+1, Kathleen Wilson  wrote:
> Why do we need a minimum of 1 year?
> What purpose does that serve?
> If they meet all our requirements earlier, why couldn't we discuss it earlier 
> than 1 year?

The exact period of one year is of course arbitrary. However I believe there 
are two useful things achieved by setting this period a little longer than the 
minimum achievable

1. This ensures the Certificate Authority's new management are able to plan out 
their activities over a reasonable period without pressure to bring things 
forward in order to meet commercial goals. This is the foundation of (we hope) 
a long-lived successful CA, it's not about rushing a minimum viable product to 
market with the plan to fix any deficiencies later. An external organisation 
like Mozilla is better placed to give management this cover than any internal 
promise from QiHoo 360 although if the arbitrary period is reasonable I hope 
QiHoo 360 will accept that it's ultimately to everyone's benefit to have this.

2. In this particular case we get to see QiHoo 360 wind down the existing CA 
safely and carefully in parallel with the new CA being founded. This is another 
opportunity to demonstrate good will and competence, including reaching out to 
existing subscribers to inform them of what happened, what Mozilla and QiHoo 
360 are doing about it, and what steps they need to take to retain trust from 
third parties. In the event that during wind-down QiHoo 360 find other issues 
not previously detected by Mozilla, it's also a chance to act transparently and 
disclose those, for example if an undisclosed WoSign intermediate CA from 2015 
is found on a smart card in somebody's desk drawer, reporting that rather than 
just quietly incinerating the smart card helps to demonstrate the organisation 
has learned to tell us about problems, not hide them. Winding down may take a 
while to complete, and it would be a shame to rush to instantiate a new CA 
without seeing the old one decommissioned properly.
dev-security-policy mailing list

Reply via email to