On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh <p...@metacert.com> wrote: > Dear Ryan, > > It would help a great deal, if you tone down your constant insults towards > the entire CA world. Questioning whether you should trust any CA is a > bridge too far.
> Instead, why don’t you try to focus on specific issues with specific CAs, > or specific issues with most CAs. I don’t think you have a specific issue > with every CA in the world. > If specific CAs fail to do what you think is appropriate for browser > vendors, perhaps you need to implement new, or improve existing audits? > Propose solutions, implement checks and execute better reviews. Then > iterate until everyone gets it right. > Paul, I appreciate your response, even if I believe it's largely off-topic, deeply confused, and personally insulting. This thread is acknowledging there are systemic issues, that it's not with specific CAs, and that the solutions being put forward aren't working, and so we need better solutions. It's also being willing to acknowledge that if we can't find systemic fixes, it may be that we have a broken system, and we should not be afraid of looking to improve or replace the system. Perhaps you (incorrectly) read "CAs" to mean "Every CA in the world", when it's just a plurality of "more than one CA". That's a bias on the reader's part, and suggesting that every plurality be accompanied by a qualified ("Some", "most") is just tone policing rather than engaging on substance. That said, it's entirely inappropriate to chastise me for highlighting issues of non-compliance, and attempt to identify the systemic issue underneath it. It's also entirely inappropriate to insist that I personally solve the issue, especially when significant effort has been expended to do address these issues so far, which continue to fail without much explanation as to why they're failing. Suggesting that we should accept regular failures and just deal with it, unfortunately, has no place in reasonable or rational conversation about how to improve things. That's because such a position is not interested in finding solutions, or improving, but in accepting the status quo. If you have suggestions on why these systemic issues are still happening, despite years of effort to improve them, I welcome them. However, there's no place for reasonable discussion if you don't believe we should have open and frank conversations about issues, about the misaligned incentives, or about how existing efforts to prevent these incidents by Browsers are falling flat. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy