> Do we really want the CA community to be filled with bureaucratic > enforcement of harsh punishments for every slight misstep? This is the > important question that any organization (in this case this community) > needs to ask itself whenever new surveillance abilities make it possible > to catch microscopic infractions.
I can certainly see both sides. The discovery of these matters is a natural consequence of the increasing prevalence (and ultimately mandatory nature) of CT. I do think strong approach of identifying issues and potential issues accompanied with as forgiving a perspective as possible is important moving forward: It is important that issues or potential issues (I would regard variance from the accepted norm in areas where there is ambiguity as to the propriety of a given encoding / parameter / etc in the standards as a "potential issue") be identified so that conclusions can be made as to what is or is not correct and proper and so that any unintended (or worse, precisely intended) consequences can be determined. It is also important, however, that where there is no direct security risk, that there be a great deal of leeway and time to resolve the issues moving forward. If this is not the case, the easy answer for any commercial CA would be to use the exact same software stack as every other CA. There is already, in fact, a lot of concentration in that area. If using same config X on software version Y of package A is the formula that every CA implements in order to not get caught out on these issues, this will create a significant monoculture as to key pieces of the PKI infrastructure which might easily create a greater ecosystem risk than some of these technical noncompliances. Harsh punishments or consequences should be reserved for real security problems, real intentional deception, actual harms, etc. The one gray area that must be watched for is constant issues of one form or another from a broad array of problem areas. The community is NOT the basic compliance test bed. A CA can not expect to just have the community do their QA and compliance testing. Frequent issues on well resolved matters of a broad array all arising from a single CA would bring a question of whether the CA is exercising due care in their operations. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
