Sure, my intent was to keep it narrowed to understanding the potential impact to this conversation.
I raise this concern because I think it would reflect poorly if these certificates were not revoked. There has been past precedent - e.g. not granting EV to Turktrust after misissuance came to light, post inclusion process discussions - that are relevant and applicable to know whether this precedent still holds. And, as Jeremy’s reply highlights, it sounds like there is non-trivial risk of such actions happening. I would find it difficult, especially if these certificates are EV certificates, to believe that the standards are being upheld in a way that deserves EV recognition if a CA does not make a timely revocation. Similarly, there has been past precedent that failures are best called out early, during the inclusion process, as they become more difficult to remediate, short of distrust, once they are included, and thus are also treated more seriously. Given these past precedents, it should not seem unreasonable to suggest that any recognition of EV is perhaps contingent upon no new incidents coming to light in the weeks following such discussions. Alternatively, if that is seen to be too extreme, that any incidents being shared following that deadline should result in a return to public discussion, with the default assumption being that EV will not be granted/be removed, might equally provide a clearer set of expectations, and align with Mozilla’s interest in ensuring CAs consistently meet expectations. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
