On Tue, 26 Feb 2019, Rob Stradling via dev-security-policy wrote:
Hi Scott. It seems that the m.d.s.p list server stripped the attachment, but (for the benefit of everyone reading this) I note that you've also attached it to https://bugzilla.mozilla.org/show_bug.cgi?id=1427262. Direct link: https://bug1427262.bmoattachments.org/attachment.cgi?id=9046699
Thanks for sending the link. The letter is uhm interesting. It both states they cannot say anything for national security reasons, say they unconditionally comply with national security (implying even if that violates any BRs) and claims transparency for using CT which is in fact being forced by browser vendors on them. "quests to protect their nations" definitely does not exclude "issuing BR violating improper certificates to ensnare enemies of a particular nation state". Now of course, I don't think this is very different from US based companies that are forced to do the same by their governments, which is why DNSSEC TLSA can be trusted more (and monitored better) than a collection of 500+ CAs from all main nation states that are known for offense cyber capabilities. But you can ignore this as off-topic :) Paul _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
