On Mon, Mar 4, 2019 at 9:04 AM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Sun, Mar 3, 2019 at 6:13 PM Ryan Sleevi <r...@sleevi.com> wrote: > > > > > It is not clear how this follows. As my previous messages tried to > > capture, the program is, and has always been, inherently subjective and > > precisely designed to support discretionary decisions. These do not seem > to > > inherently conflict with or contradict transparency. > > > > Even setting aside the examples of inclusions - ones which were designed > > to be based on a communal evaluation of risks and benefits - one can look > > at the fact that every violation of the program rules and guidelines has > > not resulted in CAs being immediately removed. Every aspect of the > program, > > including the audits, is discretionary in nature. > > > > It would be useful to understand where and how you see the conflict, > > though. > > > > I think my disconnect arises in as far as that for the period of time in > which I've tracked the program and this group, I can not recall use of > subjective discretion to deny admission to the program. Any use of a > subjective basis as the lead cause for not including Dark Matter would, to > my admittedly limited time-window of observation in this area, be new > territory. > > I was concerned by the idea that discretionary decisions inherently lack transparency, but it sounds like we are agreeing that is not the case. In my experience, the approval or denial of a root inclusion request often comes down to a subjective decision. Some issues exist that could technically disqualify the request (e.g. DarkMatter's serial number entropy) and we have to weight the good, 'meh', and bad of the request to come to a decision. Sometimes we say 'no' (e.g. [1], [2]). - Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/wCZsVq7AtUY/Uj1aMht9BAAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/fTeHAGGTBqg/l51Nt5ijAgAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
