On Mon, Nov 14, 2016 at 3:46 AM, Gervase Markham <[email protected]> wrote: > > If this is the only privacy mechanism available for 6962bis, I suspect > we will see a lot more TCSCs about, particularly if CAs figure out ways > to mint them at scale within the letter of the BRs and other requirements.
It is very easy to mint TCSCs at scale without violating the letter or the spirit of the BRs and other requirements. > CT is getting to be very useful as a way of surveying the certificate > ecosystem. This is helpful to assess the impact of proposed policy > changes or positions, e.g. "how many certs don't have an EKU", or "how > many certs use a certain type of crypto". If certs under TCSCs are > exempt and this becomes popular, CT would become less useful for that. > > One possible answer is just to say: "Mozilla will not accept 'but we > have a lot of certs under TCSCs which will be affected by this' as a > valid reason not to do something. In other words, if you hide stuff and > it breaks, you get to keep both pieces. But in practice, such a line > might not hold. I think this is the right answer. Yes, CT has helped provide a better view into galaxy of CAs that is WebPKI, that was not its stated purpose. CT was created to help domain registrants have visibility into what is issued for their domain names. If domain holders want to keep their certificates semi-private, then they need to be aware that security is a moving target and their input on data-driven decisions may be diminished. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
