On Thu, Feb 9, 2017 at 11:40 PM, Jakob Bohm via dev-security-policy <
[email protected]> wrote:
>
> For clarity, I was pointing out that GTS seems to have chosen a method
> likely to fail if an when actually needed, due to the typical dynamics
> of large human organizations. Presumably an organization of such
> magnitude is likely to have contact points more dedicated to
> time-sensitive action-required messages than the contact point they chose.
>
> So while it's useful for you to draw attention to this, it's without
>> evidence or basis for you to suggest that this is an "issue", per se -
>> that is, it seemingly in no way conflicts with Mozilla policy or
>> industry practice.
>>
>
> I find that it is an issue, but not an absolute cause for rejection.
I think Peter's response basically highlights why this is not an issue, at
least how Mozilla has historically determined them:
"I think the point is that issues raised about CAs need to be grounded in
fact. "Universal Trust Services wrote Y in their CPS but did not do Y as
demonstrated by Z" is something that can be evaluated factually "UTS wrote
Y in their CPS but might not being doing Y" without any evidence is not
something that can be evaluated factually."
Basically, the issue you're raising is, even in the most charitable sense,
not an actionable grounds for rejection - even in part - which you seem to
believe it is ("but not an absolute cause for rejection" - implying it
contributes to some sum total of issues). It might be an opportunity for
the CA to reconsider things, but in the same way that "But the Government
of X might require the CA to do something" is free of evidence and cannot
be evaluated factually, "But they might not abide by the BRs" is free of
evidence and cannot be evaluated factually. It's simply noise.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
