On 01/06/17 13:49, Ryan Sleevi wrote:
> I would encourage you to reconsider this, or perhaps I've misunderstood
> your position. To the extent that Mozilla's mission includes "The
> effectiveness of the Internet as a public resource depends upon
> interoperability (protocols, data formats, content) ....", the
> well-formedness and encoding directly affects Mozilla users (sites working
> in Vendors A, B, C but not Mozilla) and the broader ecosystem (sites
> Mozilla users are protected from that vendors A, B, C are not).

My point is not that we are entirely indifferent to such problems, but
that perhaps the category of "mis-issuance" is the wrong one for such
errors. I guess it depends what we mean by "mis-issuance" - which is the
entire point of this discussion!

So, if mis-issuance means there is some sort of security problem, then
my original definition still seems like a good one to me. If
mis-issuance means any problem where the certificate is not as it should
be, then we need a wider definition.

I wonder whether we need a new word for certificates which are bogus for
a non-security-related reason. "Mis-constructed"?

dev-security-policy mailing list

Reply via email to