On 16/03/17 13:15, Ryan Sleevi wrote: > Or, put differently, it sounds as if you suggest the only obligation a CA > has to ensure their DTP auditors are qualified for the task at hand is if, > and only if, Mozilla requests those audits. In the absence of that request, > the CA is allowed to make their own individual determination. Further, it > seems that you are suggesting that if a CA makes that determination, and > it's incorrect, that's not a failure upon the CAs part, because they made > 'a decision', and the relevant portions of Mozilla policy only apply to the > 'next' audit.
I am saying that, however, undesirable, our current policy could be interpreted this way, which is why I want to change it. You don't have to convince me that this situation is undesirable :-) Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
