On 07/02/18 15:14, Alex Gaynor wrote:
> That said, given the issues Paul highlighted in his original mail (which I
> wholeheartedly concur with), it seems the place to focus is the folks who
> are getting Ds right now. Therefore I think the essential part of your
> email is your agreement that CAs which are persistently low performing need
> to be recognized and potentially penalized for the sum total of their
> behaviors.

This is, in a reasonably strong sense, what happens now. We require each
incident in which a CA is involved to be documented in a public bug, so
all can see the timeline, outcomes, how the CA reacted and other factors
which might be taken into account when determining a CA's competence.

Occasionally, we decide that some CA's list of recent[0] problems is
sufficiently serious[0] that we need to run an investigation. We do so,
and invite the CA to more formally comment on the sum total of the
problems. We assess the responses and the style and level of response,
and make a determination[0]. This is what happened to WoSign, Symantec

I therefore expect and hope that CAs in our program have noted what
happened in those cases, particularly PROCERT (which is probably the
clearest case of simple "general incompetence" that we have had), and
want to make sure they are not next.


[0] Yes, this is vague. But so is the concept of "trust".
dev-security-policy mailing list

Reply via email to