On 06/06/15 02:12, Brian Smith wrote: > Richard Barnes <rbar...@mozilla.com> wrote: > >> Small CAs are a bad risk/reward trade-off. > > Why do CAs with small scope even get added to Mozilla's root program in the > first place? Why not just say "your scope is too limited to be worthwhile > for us to include"?
There's the difficultly. All large CAs start off as (one or more :-) small CAs. If we admit no small CAs, we freeze the market with its current players. A great case for this, of course, is Let's Encrypt, who are currently as tiny as it's possible to be, and yet I don't think you'd say they are a bad risk/reward trade-off. That leads me to think that whether a CA is a bad trade-off has factors to consider other than its size. > Mozilla already tried that with the HARICA CA. But, the result was somewhat > nonsensical because there is no way to explain the intended scope of HARICA > precisely enough in terms of name constraints. Can you expand on that a little? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy