I've made the additional change proposed above to the 2.6 branch: https://github.com/mozilla/pkipolicy/commit/13ce71ab3936e721236b8c9f8753f253fb7f3750
On Tue, Mar 20, 2018 at 2:23 PM, Ryan Sleevi <[email protected]> wrote: > Ah, good point. Yeah, I think that's a perfectly reasonable change. > > On Tue, Mar 20, 2018 at 2:45 PM, Wayne Thayer via dev-security-policy < > [email protected]> wrote: > >> On Tue, Mar 20, 2018 at 8:22 AM, Ryan Sleevi <[email protected]> wrote: >> >> > >> > So, one aspect of this is the recently discussed risk - that is, a CA >> that >> > provides value for only 10 users presents a substantial amount of risk >> to >> > all Mozilla users, for both compromise and non-compliance. This is, >> > admittedly, a subjective evaluation - but then again, so is trust. I'm >> > curious whether the current "typical" language serves to establish a >> > baseline bar for assesing the risk - that is, a CA that issues only one >> > certificate a year, used by 100 Mozilla users, seems like a substantial >> > risk to all Mozilla users. >> > >> >> Does the first sentence of section 7.1 address this concern? I proposed >> [1] >> removing "benefits and" so that it reads: >> >> 7.1 Inclusions >> > >> > We will determine which CA certificates are included in Mozilla's root >> > program based on the risks of such inclusion to typical users of our >> > products. >> > >> In other words, the proposed change to section 2.1(1) does not exclude >> roots that fail to meet the "relevant to typical users" bar, but section >> 7.1 supports us in making decisions based on the risk to a typical user. >> >> - Wayne >> >> [1] >> https://github.com/mozilla/pkipolicy/commit/83b2164ff2594249 >> 800f40b0e7c00d0816ab77e7#diff-e516d71031639460d171d9f4d04a005b >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
