On Tue, Mar 12, 2019 at 2:49 PM Hector Martin 'marcan' via dev-security-policy <[email protected]> wrote:
> What I'm saying is that merely sticking to the most convenient > interpretation for you and deflecting all responsibility for how we > ended up here is not productive, and does not scream trustworthiness. > The various actors in the WebPKI need to strive for a secure > environment, not act adversarially. This includes both acting in good > faith (e.g. not attempting to pursue "creative interpretations"), but > also, equally, recognizing when actions and decisions may have > unexpectedly and unintentionally contributed to a problem, and making > changes to eliminate that possibility in the future. > Hey Hector, I tried to capture in [1] that the interpretation being offered here is consistent with past discussions. While I understand you may disagree with the documentation, I also tried to capture in [1] how it avoids a different problem which has been discussed in this Forum. As it relates to the remarks about assigning blame or pushing to their customers, I think a more charitable read of those remarks is, again, consistent with long-standing expectations of the policy and past discussions in the Forum, the CA is ultimately responsible for compliance. We have CAs using vendors that are far less responsive or engaged in this Forum, and which software produces things far less compliant, and I want to make sure we don't discourage participation by not assuming good faith or good intent. I totally understand that your personal opinions will naturally (and should naturally!) impact the choice of CA software you run, so I don't want you to think I'm shilling for a particular vendor, but I also want to make sure we're assigning responsibility appropriately. I definitely think it behoves all participants - CAs, software vendors, random users - to strive to avoid "creative interpretations", for the reasons you mention. I think the extent of such creative explorations should be in the pursuit of providing stronger guidance - whether as a matter of policy or to be enshrined in the requirements - rather than excuse or dismiss problems. However, I don't think the current discussion is about dismissing the problems - but about ensuring meaningful technical accuracy so that there's a clear understanding of the issue. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/13lXh5gomB8/Ie7AnHC9BwAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
