On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson wrote:
> I’m not sure what I could reasonably require (and enforce) of the CA in
> regards to communicating with their customers.
As I understand it QiHoo 360 says they intend to co-operate in order to
eventually get the new StartCom CA trusted. If they are unwilling to
communicate with existing subscribers of both existing CAs effectively, it
seems to me this is evidence of bad faith and excludes the possibility of the
new CA being trusted by Mozilla (or in my opinion any right-thinking person).
So, essentially I'd argue that explaining Mozilla's decision to existing
subscribers is a pre-requisite of any future trust for the new StartCom and
Mozilla should emphasise that to QiHoo 360. The communication needn't walk
through all Mozilla's findings, but it should clearly say what will happen (new
certificates won't be trusted) and that QiHoo 360/ WoSign/ StartCom accept this
dev-security-policy mailing list