On Sun, Feb 20, 2022 at 5:29 PM Ryan Sleevi <[email protected]> wrote: > > > > On Sun, Feb 20, 2022 at 3:06 PM Peter Bowen <[email protected]> wrote: >> >> I do not think this request, or other requests for a new Externally >> Operated Subordinate CA, should be rejected or accepted based on >> whether the CA operator is applying for inclusion of a root CA they >> operate. > > > This conclusion may, unintentionally, seem to suggest something I was not > proposing. I'm hoping this was simply trying to be carefully worded to limit > the scope of what you agree with, although it may be misinterpreted as being > a rephrasing of my position, which it isn't. > > The past discussions you link to are with respect to a different scenario > than the one we find ourselves in now, and so too were the proposals > different. Note that I'm not suggesting that subordinate CAs be prohibited, > as the previous posters suggested, but rather that such subordination be > placed on hold unless, and until, the CA has undergone adequate review.
I was responding to your statement: "Had Certainly not applied for a Root Inclusion, I would be actively encouraging that the request be rejected entirely, precisely for the same reasons here: the risk of a subordinate is indistinguishable to end users from that of a root, while the risk to the process and policies is even greater. The march has been towards containing that risk, and, consistent with concerns raised about delegating trust to third-parties such as governments, not one that should be lightly abdicated, least of all because "of a misguided goal to fairness over security." This seemed to indicate that you were recommending that requests for a new externally operated subordinate CAs only be approved if the operator of the new subordinate has already applied for root inclusion. Is this not accurate? Thanks, Peter -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND8HAu1-c0hjZq9BVGhs2dDDp%2BvAKx6Uq6ZyAYgt90zcPA%40mail.gmail.com.
