Peter Bowen <pzbo...@gmail.com> writes: >The CA/Browser Forum is not a regulatory body. They publish guidelines but >do not set requirements nor regulate compliance.
It's a bit hard to describe its actual functioning, in theory they just advise, but then so does ISO, IEEE, and others. They're not regulatory bodies either, but when ISO or IEEE says X you do it. >What action would you expect the Forum to be taking? I would have expected some sort of coordinating action to provide a unified response to the issue and corresponding unified, consistent behaviour among the browsers, rather than the current lottery as to what a particular browser (other than Apple and Mozilla's ones) will do when it encounters a WoSign cert. Then there's the bigger question that if the CAB can't do anything about a CA going rogue (fraudulently issuing certs to evade restrictions), does that mean the web PKI is just a free-for-all? Who's running the show if it's not the CAB? Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy