On Thu, Feb 9, 2017 at 9:56 PM, Richard Wang via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> I can't see this sentence
>  " I highlight this because we (the community) see the occasional remark like 
> this; most commonly, it's directed at organizations in particular countries, 
> on the basis that we shouldn't trust "them" because they're in one of "those 
> countries". However, the Mozilla policy is structured to provide objective 
> criteria and assessments of that."
> has any relationship with this topic, please advise, thanks.

I think the point is that issues raised about CAs need to be grounded
in fact.  "Universal Trust Services wrote Y in their CPS but did not
do Y as demonstrated by Z" is something that can be evaluated
factually  "UTS wrote Y in their CPS but might not being doing Y"
without any evidence is not something that can be evaluated factually.

I agree with Ryan; we tend to see the second type of issue come up
more often with CAs from certain countries.  This sort of non-data
driven issue is not appropriate to raise.  Instead show what should
have happened and what did not.

dev-security-policy mailing list

Reply via email to