My perspective is that of an end user and also that of a software developer involved in a non-web-browser space in which various devices and manufacturers generally defer to the Mozilla root program's trust store. As such, I'm quite certain that my opinions don't -- and should not -- have the weight that yours or Ryan Sleevi's do.
That said, I do think the principal concern with discretionary basis for reaching a decision leaves the door open to criticism of favoritism, etc, all things that transparency helps avoid. As such, I don't personally consider use of discretion in these matters to be in keeping with transparency. I agree that there is the technical matter of the on the serial matters, but it seems as though DarkMatter has already signaled a willingness to cut a new hierarchy that wouldn't have that problem. By historical precedent, that would be more than enough remediation. Discussion also suggests that there may yet be more CAs with these same serial numbers issues lurking in the weeds owing to default configuration of the predominant CA software. While the other two examples get to "no", it is apparent that both of those cases had a more complicated set of extant issues in the hierarchies which were being put forth for inclusion/upgrade. I agree that there's inevitably discretion exercised as to the measure of sanction or remediation required. But I can't find any recent cases of discretion effectively barring an entity from inclusion. On Mon, Mar 4, 2019 at 10:40 AM Wayne Thayer <wtha...@mozilla.com> wrote: > >> I was concerned by the idea that discretionary decisions inherently lack > transparency, but it sounds like we are agreeing that is not the case. In > my experience, the approval or denial of a root inclusion request often > comes down to a subjective decision. Some issues exist that could > technically disqualify the request (e.g. DarkMatter's serial number > entropy) and we have to weight the good, 'meh', and bad of the request to > come to a decision. Sometimes we say 'no' (e.g. [1], [2]). > > - Wayne > > [1] > https://groups.google.com/d/msg/mozilla.dev.security.policy/wCZsVq7AtUY/Uj1aMht9BAAJ > [2] > https://groups.google.com/d/msg/mozilla.dev.security.policy/fTeHAGGTBqg/l51Nt5ijAgAJ > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
