On 27/09/17 18:54, Matthew Hardeman wrote: > In the case of StartCom, I can not help but feel that they are being > held to an especially high standard (higher than other prior adds to > the program) in this new PKI because of who they are -- despite the > fact that management and day-to-day decisions are a completely > different team. > > Where I am headed with this is a concern that perhaps no amount of > technical remediation can really get these entities back in the > graces of the community.
I don't know if it's quite as absolute as that, but recent incidents have caused me to ponder somewhat on the nature of trust. The root program is all about trust, and trust is not something which can be encoded in audits, checkboxes and rules. This will always be a tension at the heart of our root program - we are trying to be as objective as we can about something which is ultimately subjective. The nature of trust is that it's harder to regain than it is to gain in the first place. Just ask someone who's been the victim of adultery - or someone who is a now-repentant adulterer. Rightly or wrongly, people get a first chance, but it's tough to get a second. I think you are right when you conclude that this is just the way of things, and we should accept it rather than kick against it. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy