On 17/10/16 16:35, Jakob Bohm wrote:
> In the not so distant past, the Mozilla root program was much more
> useful due to different behavior:
> 1. Mozilla managed the root program based on an assumption that relying
> parties would use the common standard revocation checking methods
> *only* (regular CRLs as present since Netscape created SSL and OCSP).
Now is not the time to re-debate the failings of those methods, but
please don't pretend you don't know why this change was made.
> 2. Mozilla managed trust bits and inclusion policies for https,
> non-https TLS (e.g. imaps, pops and smtps), e-mail S/MIME, and
> generic object/code signing. Again, this was true since the days
> when this was the Netscape Navigator trust list.
We still do manage for HTTPS and email. There was never a separate trust
bit for non-https TLS; why is the trust and the requirements for that
different in practice from HTTPS TLS?
dev-security-policy mailing list