On Thu, Aug 03, 2017 at 08:47:17AM +0000, Inigo Barreira via dev-security-policy wrote: > And what I don´t understand are those comments of "very sloppy isuance > practices" , "many non-BR compliants", "specially given the historic issues > with StartCom" and consider them very unfair. These are subjective opinions > which are very dangerous and not fair.
Fairness is not, as far as I'm aware, a criteria for inclusion in the Mozilla root store. > This is a totally new system that is not related with "the historic issues" > at all, so whatever happened in the past is not related (and we could talk a > lot of why StartCom was distrusted in the past), only the name is the same. Systems are not limited to software and hardware. They also include the people, and at least some of the people in "the system" are the same. Further, if "the system" *were* completely new and improved, why is it still producing problematic certificates and generally looking, from the outside, like a complete and utter shambles? > Finally I´d like to understand also why has been asked to create OneCRL > entries for these subCAs. Because the intermediates chain to a CA certificate which represents a demonstrably broken and untrustworthy system, and distrusting the intermediates has no visible impact on the relying parties which the Mozilla trust store represents. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
