It's definitely not the place to discuss individual CAs. The CAB Forum creates guidelines but, intentionally and by design, is not an enforcement or root management authority. The CAB Forum can set policies about CAs, but the browsers retain the sole right to decide what penalties are appropriate for violating the policy.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Peter Gutmann Sent: Saturday, October 15, 2016 2:31 AM To: Erwann Abalea <eaba...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom & Qihoo Incidents Erwann Abalea <eaba...@gmail.com> writes: >And that's not CABF's duty and responsibility. What the CABF can impose >to CABF members is to follow the bylaws, the internal governance rules. >By following them, all members write the guidelines and decide on what >changes to adopt, and browsers then impose CAs to follow these guidelines. Hmm, OK. I was just wondering why the CABF seemed to be missing in action, since it appeared to be the logical place to address this sort of issue. >What appears from the CABF meeting minutes is that the >WoSign+StartCom+Qihoo combination is looked after, precisely regarding the bylaws. Hmm, I'm not quite sure what you mean by that, but a quick check of the most recently published minutes: https://cabforum.org/2016/09/15/2016-09-15-minutes/ https://cabforum.org/2016/09/29/2016-09-29-minutes/ indicate that not much has happened, there's just a brief comment about whether { WoSign, Startcom, Qihoo 360 } should be treated as one entity or three. I assume that's the bylaw issue? So there really is no-one running the show, meaning no coordinating body that can say "bad things are happening over here, you need to take action to deal with them"? It just seems odd that the next time a CA goes rogue, every end user on the planet has to wait for whatever browser vendor they rely on to make some arbitrary decision on what to do, or as it seems for many vendors in the case of WoSign, do nothing. The only one who's openly addressed this seems to be Mozilla. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy