On Tuesday, August 8, 2017 at 11:05:06 PM UTC+9, Jakob Bohm wrote:
> I was not advocating "letting everyone decide".  I was advocating that
> Mozilla show some restraint, intelligence and common sense in wielding
> the new weapons that certlint and crt.sh have given us.
> This shouldn't be race as to who wields the weapon first, forgiving CAs
> only if they happen to report faster than some other newsgroup
> participant.
> This is similar to if a store boss gets a new surveillance camera in the
> shop and sees that some employees are taking extra breaks when there are
> few customers in the store.  It would be unreasonable for such a store
> boss to discipline this with similar zeal as seeing some employees
> genuinely steeling cash out of the register or selling stolen items out
> of the back door.  Instead the fact that they work less when there is
> less work to do should inspire reevaluation of any old rule that they
> are not allowed to have a watercooler chat during work hours.
> Now such a reevaluation might result in requiring them to use such
> occasions to clean the floors or do some other chores (Mozilla equiv:
> Deciding that the rule is important for good reason and needs to be
> followed in the future) or it could result in relaxing the rule as
> long as they stand ready the moment a customer arrives (Mozilla equiv:
> Relaxing the requirement, initially just for Mozilla, later perhaps as a
> BR change).
> Dogmatically insisting on enforcing rules that were previously not
> enforced due to lack of detection, just because "rules are rules" or
> other such arguments seems overzealous.

Such tools have been available for over a year. CAs have been aware of this, 
the ability to run it over their own corpus and self-detect and self-report. 
These tools, notably, were created by one of the newest CA applicants - Amazon 
- based on a methodical study of what is required of a CA.

Your attempts to characterize it as overzealous ignore this entirely. At this 
point, it's gross negligence, and attempts to argue otherwise merely suggest a 
lack of understanding or concern for standards compliance and interoperability.

Mozilla has already communicated to CAs these tools exist and their relevance 
to CAs.

Perhaps we can move on from misguided apologetics and instead focus on how to 
make things better. Suggestions we ignore these, at this point, are neither 
productive nor relevant. Attempts to suggest tortured metaphors are like 
attempting to suggest rich people deserve to be robbed, or poor people just 
need to work harder - arguments that are both hollow and borderline offensive 
in their reductionism. A pattern of easily preventable misissuance has been 
happening,CAs have been repeatedly told to self-detect, and clearly, some CAs, 
like presumably some businesses, aren't taking security seriously. That needs 
to stop.
dev-security-policy mailing list

Reply via email to