On Monday, March 5, 2018 at 11:38:31 AM UTC-8, Ryan Sleevi wrote: > While these are interesting questions, I think it gets to the heart of > policy questions, which is how is policy maintained and enforced. Today, > there’s only one method - distrust. > > So are you suggesting the CA should be distrusted if these “other parties” > (which may have no observable relationship with the CA) don’t adhere to > this policy? Are you suggesting the certificates these “other parties” are > involved with get distrusted? Or something else? > > Because without teeth, the policy suggestions themselves are hollow.
That is a very valid point. Well since I do not have a concrete proposal it is hard to say at this point if a CA should be kicked out for non-conformance to a given critera. With that said today there are over 20 SHOULDs in the BRs and I can imagine failure to meet those should would be considered in aggregate when looking at a distrust event. If nothing else addressing any potential ambiguity would be useful. > > I disagree on that venue suggestion, since here we can actually have > widespread public participation. I would also suggest that Section 1.3 of > the Bylaws would no doubt be something constantly having to be pointed out > in such discussions. > Fair enough, as I am on the plane to CA/Browser Forum event maybe, as a result, I had this venue on my mind, I agree this is a fine venue for this discussion. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
