On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson wrote: > I’m not sure what I could reasonably require (and enforce) of the CA in > regards to communicating with their customers.
As I understand it QiHoo 360 says they intend to co-operate in order to eventually get the new StartCom CA trusted. If they are unwilling to communicate with existing subscribers of both existing CAs effectively, it seems to me this is evidence of bad faith and excludes the possibility of the new CA being trusted by Mozilla (or in my opinion any right-thinking person). So, essentially I'd argue that explaining Mozilla's decision to existing subscribers is a pre-requisite of any future trust for the new StartCom and Mozilla should emphasise that to QiHoo 360. The communication needn't walk through all Mozilla's findings, but it should clearly say what will happen (new certificates won't be trusted) and that QiHoo 360/ WoSign/ StartCom accept this as legitimate. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
