On Tuesday, 6 June 2017 21:08:54 UTC+1, Ryan Sleevi  wrote:
> Standards defining organization.

More usually a Standards _Development_ Organization. I wouldn't usually feel 
the need to offer this correction but in this context we care a good deal about 
the fact that SDOs are where the actual engineering is done, where the 
expertise about the particular niche being standardised exists.

Even in the IETF, which is unusual in having some pretty technical people 
making its top level decisions, the serious work is mostly done in specialist 
working groups, with their products percolating up afterwards. For most 
standards bodies the top level stuff is purely politics - at the ITU the 
members are (notionally) sovereign nations themselves, same for the UPU, at ISO 
they're entire national standards bodies, and so on - utterly unsuitable to the 
meat of standards development itself. Most expertise is instead present in 
smaller, specialised SDOs in these cases.

Anyway, to Jakob's point it is _extremely_ unlikely that a new piece of 
infrastructure will spring into existence fully formed and ready for use in 
anger in the Web PKI without enough time for Mozilla, and m.d.s.policy to 
evaluate it and if necessary update the relevant policy documents. Much more 
likely, in my opinion, is that something half-baked is tried by a CA, and later 
realised to have opened an unsuspected hole in security.

Nothing even prevents this policy being updated to permit, for example, trials 
of some particular promising new idea that needs testing at scale, although I 
think in most cases that won't be necessary. Consider the CRL signing idea, 
this can be tested perfectly well without using any trusted CA or subCA keys at 
all. A final production version would probably use trusted keys, but you don't 
need to start with them to see it work.
dev-security-policy mailing list

Reply via email to