On Sat, Jun 8, 2024 at 9:48 PM Jeffrey Walton <[email protected]> wrote:
> I would caution against that. Effectively, Mozilla would be fiddling
> with the market. The market should be the one to punish (or reward)
> Entrust for the premiums on manual issuance, not Mozilla. When
> subscribers get tired of paying too much for the service, the customer
> will go elsewhere.
Hey, uh, yeah…Mozilla sort of exists to “fiddle with the market” in ways
that it feels protect the web’s users from the direction that The Market
might otherwise take. It’s sort of “their thing”.
But that rather jarring dissonance aside, nobody is objecting to premiums
on manual issuance. It is precisely the opposite: it is an objection to
charging Subscribers *extra* for using *automated* tools that make the web
safer (and which indeed should be cheaper for the CA to operate than a
manual process, but you know how it is with rent seeking).
The CA’s primary responsibility is to the web’s users, not to its
customers. They all know this. It can require that they not always optimize
for short-term business outcomes, but if they are not comfortable with that
*very* explicit tension, then this is not an appropriate business for them.
In my mind's eye, there are two things to observe. First is the
> CA/Browser Standards ("what we do"), and second is the CA Operating
> Procedures ("how we do it").
I guess that is a way that these things could have evolved in a parallel
universe, but you have perhaps noticed that the BRs already have many
directions as to how things must be done. The BRs are in fact growing more
such directions over time as it becomes increasingly clear that not all CAs
can be trusted to do the things that are best for the health of the WebPKI;
see the active discussion about linting practices in the SCWG, for example.
Mike
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqvO%3DtCg3E0BGm-D%2Bo6AMnbuaEH0ZatG9PPmfdoYUjMKjQ%40mail.gmail.com.
