That’s pretty much exactly not what I said.
From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, February 6, 2018 10:38 PM To: Tim Hollebeek <tim.holleb...@digicert.com> Cc: Paul Kehrer <paul.l.keh...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com Subject: Re: Misissuance/non-compliance remediation timelines So your view is the “carrot” is getting to use Mozilla’s brand as an endorsement, and the “stick” being that if you don’t get that endorsement for a while, you get kicked out? The assumption is that the branding of “best” is valuable - presumably, through the indirect benefit of being able to appeal to customers as “the highest rated (by Mozilla) CA”. In practice, much like the CA/Browser Forum indirectly gave birth to the CA “Security” Council, or the existence of firms like Netcraft or NSS Labs, the more common outcome seems to be that if you don’t like the rules of the game you’re playing, you make up your own/redefine them and try to claim equivalency (much lol “alternative facts”). That is, I’m skeptical of approaches that attempt to say “most good,” because those seem to encourage all sorts of games of coming up with their own schemes, while “least bad” is more actionable - as “most bad” is more likely to receive sanctions. On Tue, Feb 6, 2018 at 10:03 PM Tim Hollebeek via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Absolutely not. I view the competition as being based as the “most best”. You cannot get an “A” (or even A- or B+) without significantly exceeding the minimum requirements, or demonstrating behaviors and practices that, while not required, are behaviors Mozilla wants to encourage. Sticks are good. Carrots are tasty. -Tim Do you see the competition based on being the 'least bad' (i.e. more likely to get an A because of no issues than a B because of some?) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy