On Wed, Dec 5, 2018 at 3:48 AM Dimitris Zacharopoulos via dev-security-policy <[email protected]> wrote:
> On 5/12/2018 10:02 π.μ., Fotis Loukos wrote: > > > The proposal was apparently to further restrict the ability of CAs to > > make exceptions on their own, by requiring all such exceptions to go > > through the public forums where the root programs can challenge or even > > deny a proposed exception, after hearing the case by case arguments for > > why an exception should be granted. > > > > effectively 'legalizing' BR violations after browsers' concent (granting > > an exception). Before two paragraphs you stated that you never proposed > > making an extended revocation legal. > > > > Regards, > > Fotis > > You missed one of Jakob's important point. This usually happens when you > clip-paste specific sentences that change the meaning of a whole > conversation. > > " > > But only if one ignores the > reality that such exceptions currently happen with little or no > oversight." > > I am particularly troubled by the proposal that exceptions be granted by Mozilla as part of some recognized process. There is a huge difference between this and the current process in which CAs may choose to take exceptions as explicit violations. Even if the result is the same, granting exceptions transfers the risk from the CA to Mozilla. We then are responsible for assessing the potential impact, and if we get it wrong, it's our fault. Please, let's not go there. As has been stated, if there is really no risk to violating a requirement, then it's reasonable to make a case for removing that requirement. - Wayne _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
