Re: Misissuance/non-compliance remediation timelines

2018-02-08 Thread Paul Kehrer via dev-security-policy
On February 9, 2018 at 1:24:12 AM, Wayne Thayer (wtha...@mozilla.com) wrote: On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So, how long is too long? > This is the crux of the issue for me. If a CA (that really should have

Re: Misissuance/non-compliance remediation timelines

2018-02-08 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So, how long is too long? > This is the crux of the issue for me. If a CA (that really should have stopped responding 'good' for unknown certs back in 2013) needs to select,

Re: Misissuance/non-compliance remediation timelines

2018-02-08 Thread Gervase Markham via dev-security-policy
On 07/02/18 15:14, Alex Gaynor wrote: > That said, given the issues Paul highlighted in his original mail (which I > wholeheartedly concur with), it seems the place to focus is the folks who > are getting Ds right now. Therefore I think the essential part of your > email is your agreement that CAs

RE: Misissuance/non-compliance remediation timelines

2018-02-07 Thread James Burton via dev-security-policy
Of Tim Hollebeek via dev-security-policy Sent: 07 February 2018 16:11 To: Alex Gaynor <agay...@mozilla.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Paul Kehrer <paul.l.keh...@gmail.com> Subject: RE: Misissuance/non-compliance remediation timelines Alex, Most CAs probably

RE: Misissuance/non-compliance remediation timelines

2018-02-07 Thread Tim Hollebeek via dev-security-policy
leb...@digicert.com> Cc: Paul Kehrer <paul.l.keh...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Misissuance/non-compliance remediation timelines Hey Tim, A piece I think I'm missing is what you see as the incentive for CAs to aim for an "A" r

RE: Misissuance/non-compliance remediation timelines

2018-02-07 Thread Tim Hollebeek via dev-security-policy
Subject: Re: Misissuance/non-compliance remediation timelines So your view is the “carrot” is getting to use Mozilla’s brand as an endorsement, and the “stick” being that if you don’t get that endorsement for a while, you get kicked out? The assumption is that the branding of “best”

Re: Misissuance/non-compliance remediation timelines

2018-02-06 Thread Ryan Sleevi via dev-security-policy
So your view is the “carrot” is getting to use Mozilla’s brand as an endorsement, and the “stick” being that if you don’t get that endorsement for a while, you get kicked out? The assumption is that the branding of “best” is valuable - presumably, through the indirect benefit of being able to

RE: Misissuance/non-compliance remediation timelines

2018-02-06 Thread Tim Hollebeek via dev-security-policy
Absolutely not. I view the competition as being based as the “most best”. You cannot get an “A” (or even A- or B+) without significantly exceeding the minimum requirements, or demonstrating behaviors and practices that, while not required, are behaviors Mozilla wants to encourage.