On 17/10/16 16:35, Jakob Bohm wrote: > In the not so distant past, the Mozilla root program was much more > useful due to different behavior: > > 1. Mozilla managed the root program based on an assumption that relying > parties would use the common standard revocation checking methods > *only* (regular CRLs as present since Netscape created SSL and OCSP).
Now is not the time to re-debate the failings of those methods, but please don't pretend you don't know why this change was made. > 2. Mozilla managed trust bits and inclusion policies for https, > non-https TLS (e.g. imaps, pops and smtps), e-mail S/MIME, and > generic object/code signing. Again, this was true since the days > when this was the Netscape Navigator trust list. We still do manage for HTTPS and email. There was never a separate trust bit for non-https TLS; why is the trust and the requirements for that different in practice from HTTPS TLS? Gerv _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy