On Thu, Apr 16, 2020 at 4:09 PM Tim Hollebeek <[email protected]> wrote: > On the other hand, for example in Shanghai, some > have argued that there is nothing wrong with a CPS that does not disclose > anything > about how CAs implement any of the policy requirements.
Understandably, it's a spectrum. For these sorts of implementation questions, I think this is really an area where the Detailed Control Reporting ( see https://cabforum.org/2020/03/20/minutes-for-ca-browser-forum-f2f-meeting-49-bratislava-19-20-february-2020/#WebTrust-Update for an example) would be helpful here. In the end, the transparency is about finding the right level of relevant information that's useful. Complete transparency can be useful, but can also hide shenanigans in the information overload. We see this regularly with CP/CPS reviews, in which dozens of CPSes may have subtle and ill-defined interactions that are only obvious after hundreds of pages of reading. Figuring out how to better surface these, through both normative requirements and standardized disclosures, is the approach. > I would personally find it very unfortunate if the trend continues, and we > have > increasingly vacuous CPSs that contain no relevant information. But in the > absence > of requirements to disclose relevant practices, I'm not surprised that that's > a trend > that has been embraced by some CAs. Figuring out the right transparency for the original problem on the thread is difficult. Do you think the steps I proposed work? I'm not confident they do, but I think they might be a useful stepping stone. Given DigiCert originally raised this, perhaps you have suggestions for possible means of unambiguously getting disclosure around revocation practices and policies? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
