On Fri, Feb 18, 2022 at 12:40 AM Ben Wilson <[email protected]> wrote:
> > There are two different trust decisions and processes presented here. > Can you clarify what you see these two different trust decisions as being? In particular, can you clarify what differences there are for Mozilla users? The announced three-week period should be sufficient for people to more > closely examine Certainly, to ask questions, and to bring comments forward > regarding whether they believe Certainly is an appropriate entity to > operate a subCA under GoDaddy's root. > Is three weeks sufficient to review a root request, from end to end? This ties back to the above remark about understanding what difference there is for end users. If anything, the cross-signing action suggests greater risk, because the potential of greater “blast radius,” as it were, should issues arise, as they would implicate GoDaddy, and require addressing those risks. This is, in effect, the “too big to fail” problem, and thus makes meaningful remediation more complex, rather than providing greater assurance. It’s useful to understand if I’m overlooking some dimension here in terms of risks to end users between a root vs a sub-CA. As best I can tell, the argument is that the rather than the normal community evaluation of roots, the community should defer and trust the issuing CA to have done that. I think it’s fairly easy to understand why I have reservations about such a claim, much in the same way we do not allow CAs to delegate domain validation. > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHH1MzY0hDAeOT_OsOsqL3bEhiy8bpeB6wy_ZKu%3D2L0cjw%40mail.gmail.com.
