Ah, good point. Yeah, I think that's a perfectly reasonable change. On Tue, Mar 20, 2018 at 2:45 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > > > > So, one aspect of this is the recently discussed risk - that is, a CA > that > > provides value for only 10 users presents a substantial amount of risk to > > all Mozilla users, for both compromise and non-compliance. This is, > > admittedly, a subjective evaluation - but then again, so is trust. I'm > > curious whether the current "typical" language serves to establish a > > baseline bar for assesing the risk - that is, a CA that issues only one > > certificate a year, used by 100 Mozilla users, seems like a substantial > > risk to all Mozilla users. > > > > Does the first sentence of section 7.1 address this concern? I proposed [1] > removing "benefits and" so that it reads: > > 7.1 Inclusions > > > > We will determine which CA certificates are included in Mozilla's root > > program based on the risks of such inclusion to typical users of our > > products. > > > In other words, the proposed change to section 2.1(1) does not exclude > roots that fail to meet the "relevant to typical users" bar, but section > 7.1 supports us in making decisions based on the risk to a typical user. > > - Wayne > > [1] > https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249800f40b0e7c00d > 0816ab77e7#diff-e516d71031639460d171d9f4d04a005b > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy