> At least there'd be clarity about the immediate removal on discovery. I find it hard to believe that a business centered entirely around the CA business would self-report this or any other issue if they knew it would lead to removal. At the moment, the only incentive to report is the potential greater damage from not doing it. If the entire business is a CA and it's removed, then it's over. They have no incentive to comply with a policy that would bankrupt them.
In fact, I'd expect that they could easily get in trouble for not looking out for shareholder interests if they comply with a policy that's above and beyond what is required by law. Is there any legal weight behind the policies? Mozilla is fine with continuing to empower a Chinese government apparatus with the ability to MITM people around the world, even after they are caught red-handed with such a certificate issued. Hard to believe any explanation they offer about the existence of said certificate. It's not hard for the Chinese military to set up a shell company in the Middle East.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy