On Thu, Jan 18, 2018 at 4:59 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 17/01/18 19:14, Ryan Hurst wrote: > > Since Google's PKI was mentioned as an example, I can publicly state > > that the plan is for Google to utilize the Google Trust Services > > infrastructure to satisfy its SSL certificate needs. While I can not > > announce specific product roadmaps I can say that this includes the > > issuance of certificates for Google offerings involving hosting of > > products and services for customers. > > This is an interesting situation because it points to an interesting > ramification of a requirement which is anything like "issues certs to > the public". > > We can compare large companies who happen to be in the cloud hosting > business (e.g. Google, Amazon, Microsoft) with those that are not. The > former category can pass a "issuing certs to the public" test and so > qualify for inclusion, and can then use that same infra to issue their > internal certs, or certs for their own public-facing domains and > hostnames. A large company which happens not to be in the cloud hosting > business cannot pass that test, and so has to use a 3rd party CA for > their cert requirements. > > One could argue that deciding whether a large tech company gets the > convenience of a self-hosted root based on whether they provide a > particular service is not very fair. Gerv, I do want to point out that you are substantially changing the goals from what Wayne posited. That is, you have moved the goalpost from being 'objective' to being what is 'fair', and 'fair' will inherently be a subjective evaluation. Was it your intent to redefine the problem like that? If not, do you have those concerns about the objective measures, or is your goal to find objective measures which you subjectively believe to be 'fair'? For example, an objective measure would be "Paid for a 2-week vacation for Gervase Markham and family every year to a location of their choosing", but I suspect that you might argue it's subjectively 'not fair'? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
