Hi all, I am hoping to get some root program perspectives on this incident: https://bugzilla.mozilla.org/show_bug.cgi?id=1815534 and the follow up incident for delayed revocation: https://bugzilla.mozilla.org/show_bug.cgi?id=1862004.
This CA has clearly ignored Bugzilla until this incident was filed against them. From a quick search on Bugzilla, I did not see them any incidents for them, which is an unrealistically low number of incidents for a publicly trusted CA. I am curious, where do the root programs draw the line of "This CA is a net negative for public security & trust?" Do we have these defined anywhere? If not, maybe we should use this as an opportunity to defining at what point do root programs need to considering distrusting a CA? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d697c972-6290-40c1-891e-83c53d0e7519n%40mozilla.org.
