On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote: > I realize this is somewhat more complex than what you, Ryan, or Jeremy > proposed, but it the only way I see root pins working across both > "old" and "new" trust stores.
I would suggest that a better way to spend the remaining time would be remedial work so that your business isn't dependant on a single third party happening to make choices that are compatible with your existing processes. Trust agility should be built into existing processes and systems, where it doesn't exist today it must be retro-fitted, systems which can't be retrofitted are an ongoing risk to the company's ability to deliver. Trust agility doesn't have to mean you give up all control, but if you were in a situation where the business trusted roots from Symantec, Comodo and say, GlobalSign then you would have an obvious path forwards in today's scenario without also needing to trust dozens of organisations you've no contact with. I know the Mozilla organisation has made this mistake itself in the past, and I'm sure Google has too, but I don't want too much sympathy here to get in the way of actually making us safer. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy