On Thu, May 2, 2024 at 2:09 PM Mike Shaver <[email protected]> wrote: > > Hello, > > I have been re-reading the Mozilla root policy, which necessarily leaves > substantial discretion to Mozilla as to when revocation of a root (or > otherwise constraining it, if such capabilities existed) is appropriate. > > From also reviewing a number of historical incidents in Bugzilla, it seems > that currently the decision as to whether to sanction a CA is largely > evaluated on a per-incident basis: is this specific incident sufficient > grounds to disrupt subscribers and relying parties by forcibly revoking some > or all of the CA's issued certificates? > > Unfortunately, this in my opinion undermines the integrity of the root > programs, because it means that the pattern of behaviour of a CA over time > doesn't really have a place in the conversations. There is no summary > discussion of a CA, even given a pattern of similar incidents, which might > lead Mozilla and the WebPKI community to decide that said CA was a liability > to the integrity—both technical and political—of the root program. > > I'm posting here not to conduct such a summary discussion of any specific CA > (yet), but to start a conversation about what the WebPKI community > represented here might think appropriate as a structure for such historical > evaluations, and also what tests we might apply to determine if a CA should > have its inclusion formally reconsidered in some way. > > I have my own thoughts on the topic, perhaps obviously, but I would like to > first leave some space for others to present their opinions.
Bugzilla is not the place to look for this kind of conversation. In recent memory I can recall Camerfirma (https://wiki.mozilla.org/CA/Camerfirma_Issues and mozilla.dev.security.policy) and I recall a few more that searching hasn't turned up yet. Sincerely, Watson Ladd > > Mike > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZquoSciv1F-xyqrhZoTobpV2x%2Bcn%3D8jbBtbzsZrdtsJLZg%40mail.gmail.com. -- Astra mortemque praestare gradatim -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ck%2BRw-mh1sRohh%2BVm3nvGDx8vABNYv08C-Qc_tnyUVivQ%40mail.gmail.com.
