On 2015-10-01 11:05, Gervase Markham wrote:
On 01/10/15 02:43, Brian Smith wrote:
Perhaps nobody's is, and the whole idea of using publicly-trusted CAs for
code signing and email certs is flawed and so nobody should do this.
I think we should divide code-signing and email here. I can see how one
might make an argument that using Mozilla's list for code-signing is not
a good idea; a vendor trusting code-signing certs on their platform
should choose which CAs they trust themselves.
This is what Microsoft is doing for things like drivers. For Windows 10
it started with only 1 CA, but there seem to be 4 now.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy