On Tue, Apr 21, 2020 at 01:23:49AM -0400, Ryan Sleevi via dev-security-policy wrote: > On Mon, Apr 20, 2020 at 10:04 PM Matt Palmer via dev-security-policy > <[email protected]> wrote: > > 2. Make the cPSuri actually point to the relevant CPS > > That doesn’t really capture what a CPS is. There can be many relevant CPSes > to a single certificate, both for a single path and multiple paths. That’s > literally how audits came to be - to support the model of multiple CPSes. > > So a statement like “the relevant CPS” is going to be flawed, for better or > worse. That’s a much bigger change to make (in how policies are managed). > Despite the merits of forbidding the policy-based approach proposed by the > ABA PAG, the problem reporting email is probably the least compelling > reason for scrapping that :( > > However, that seems moot if addressed as above?
I don't see the contradiction. CA could embed values like https://ca.example/cps?serial=123abc and make sure that only documents relevant to the certificate in question are listed. This statement, snipped from above: > This is exactly the sort of case CCADB is supremely positioned to solve, > efficiently. In fact, all of these problems can be addressed by CCADB > improvements, providing programmatically readable data while also making > use of efficiencies and economies of scale. makes me curious: do you think CCADB could be leveraged to provide such a list? To make it recommended (or even mandatory) to link to CCADB-provided query mechanism for such documents. -- pozdrawiam / best regards _.-._ Wojtek Porczyk .-^' '^-. Invisible Things Lab |'-.-^-.-'| | | | | I do not fear computers, | '-.-' | I fear lack of them. '-._ : ,-' -- Isaac Asimov `^-^-_>
signature.asc
Description: PGP signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
