On 17/10/16 16:35, Jakob Bohm wrote:
> In the not so distant past, the Mozilla root program was much more
> useful due to different behavior:
> 1. Mozilla managed the root program based on an assumption that relying
>   parties would use the common standard revocation checking methods
>   *only* (regular CRLs as present since Netscape created SSL and OCSP).

Now is not the time to re-debate the failings of those methods, but
please don't pretend you don't know why this change was made.

> 2. Mozilla managed trust bits and inclusion policies for https,
>   non-https TLS (e.g. imaps, pops and smtps), e-mail S/MIME, and
>   generic object/code signing.  Again, this was true since the days
>   when this was the Netscape Navigator trust list.

We still do manage for HTTPS and email. There was never a separate trust
bit for non-https TLS; why is the trust and the requirements for that
different in practice from HTTPS TLS?


dev-security-policy mailing list

Reply via email to