On Friday, February 22, 2019 at 10:21:24 PM UTC+1, Wayne Thayer wrote: > We are not aware of direct evidence of misused > certificates in this case. However, the evidence does strongly suggest that > misuse is likely to occur, if it has not already.
So, basing the trust of a CA on "suggestion" and crystal-ball like "looking into the future" (asserting they _will_ abuse their power) without a shred of conclusive evidence is considered good practice, now? Aren't the rules for admission of a CA in root stores there for a reason (among others to keep the process objective)? Not like all the other ones in the root stores have spotless historical records either. Far from it. > I don't see how approving them, or the continued trust in their > intermediates, would be in the interests of Mozilla's users or compatible > with the Mozilla Manifesto. Oh come on. Mozilla itself isn't compatible with the Mozilla Manifesto. Also, I don't see how a corporate organization's manifesto should have any bearing on the truststore used in many independent FOSS operating systems and applications. Mozilla might not agree with many things based on political bias and let's leave that out the door, shall we? Or do you want to start refusing or distrusting CAs that have any sort of affiliation with right-wing political parties next? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
