I'm not really sure I understand this response at all. I'm hoping you can clarify.
On Thu, Dec 27, 2018 at 3:45 PM James Burton <[email protected]> wrote: > For a CA to intentionally state that they are going to violate the BR > requirements means that that CA is under immense pressure to comply with > demands or face retribution. > I'm not sure I understand how this flows. Comply with whose demands? Face retribution from who, and why? > The severity inflicted on a CA by intentionally violating the BR > requirements can be severe. Rolling a dice of chance. Why take the risk? > I'm not sure I understand the question at the end, and suspect there's a point to the question I'm missing. Presumably, a CA stating they're going to violate the BR requirements, knowing the risk to trust that it may pose, would have done everything possible to gather every piece of information so that they could assess the risk of violation is outweighed by whatever other risks (in this case, revocation). If that's the case, is it unreasonable to ask how the CA determined that - which is the root cause analysis question? And how to mitigate whatever other risk (in this case, revocation) poses going forward, so that violating the BRs isn't consistently seen as the "best" option? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
