On Sun, Feb 20, 2022 at 10:04:50PM +0200, Dimitris Zacharopoulos wrote: > My understanding is that users are protected equally by both routes: > - new Root CA, where at least a Root Store Manager performs the initial due > diligence, > - externally-operated subCA, where the issuing CA performs the due > diligence.
That assumes that the quality of the initial due diligence is the same in both cases. Can you explain why you believe that to be the case? > In both cases the community has the same amount of time to review the > applications (at least 3 weeks) and dig into the CP/CPS and audit reports. For a root inclusion request, the module owner (IIRC) does a deep-dive on the CP/CPS before the discussion period. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220221012124.GE8187%40hezmatt.org.
