On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi <[email protected]> wrote:
> > So, one aspect of this is the recently discussed risk - that is, a CA that > provides value for only 10 users presents a substantial amount of risk to > all Mozilla users, for both compromise and non-compliance. This is, > admittedly, a subjective evaluation - but then again, so is trust. I'm > curious whether the current "typical" language serves to establish a > baseline bar for assesing the risk - that is, a CA that issues only one > certificate a year, used by 100 Mozilla users, seems like a substantial > risk to all Mozilla users. > Does the first sentence of section 7.1 address this concern? I proposed [1] removing "benefits and" so that it reads: 7.1 Inclusions > > We will determine which CA certificates are included in Mozilla's root > program based on the risks of such inclusion to typical users of our > products. > In other words, the proposed change to section 2.1(1) does not exclude roots that fail to meet the "relevant to typical users" bar, but section 7.1 supports us in making decisions based on the risk to a typical user. - Wayne [1] https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249800f40b0e7c00d0816ab77e7#diff-e516d71031639460d171d9f4d04a005b _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
