On 07/02/18 15:14, Alex Gaynor wrote: > That said, given the issues Paul highlighted in his original mail (which I > wholeheartedly concur with), it seems the place to focus is the folks who > are getting Ds right now. Therefore I think the essential part of your > email is your agreement that CAs which are persistently low performing need > to be recognized and potentially penalized for the sum total of their > behaviors.
This is, in a reasonably strong sense, what happens now. We require each incident in which a CA is involved to be documented in a public bug, so all can see the timeline, outcomes, how the CA reacted and other factors which might be taken into account when determining a CA's competence. Occasionally, we decide that some CA's list of recent problems is sufficiently serious that we need to run an investigation. We do so, and invite the CA to more formally comment on the sum total of the problems. We assess the responses and the style and level of response, and make a determination. This is what happened to WoSign, Symantec and PROCERT: https://wiki.mozilla.org/CA:WoSign_Issues https://wiki.mozilla.org/CA:Symantec_Issues https://wiki.mozilla.org/CA:PROCERT_Issues I therefore expect and hope that CAs in our program have noted what happened in those cases, particularly PROCERT (which is probably the clearest case of simple "general incompetence" that we have had), and want to make sure they are not next. Gerv  Yes, this is vague. But so is the concept of "trust". _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy