On 08/11/2016 17:50, Ryan Sleevi wrote:
On Tue, Nov 8, 2016 at 2:05 AM, Gervase Markham <g...@mozilla.org> wrote:
...
...
Presumably this is one reason some people are suggesting Mozilla's
policy have a jurisdictional diversity requirement - to make such
coercion harder.
Possibly, but I encourage you to review the past CA/Browser Forum
discussions about CT, and the ct-policy list, to understand why Google
intentionally removed it's "diversity" requirement as being ambiguous
and unenforcable, and contributing more harm than good.
For any system of diversity to be relevant, you must be able to
quantify it, and you must be able to quantify it over time. As the
situation with StartCom/WoSign/Qihoo showed, both Mozilla and the
broader ecosystem are not well suited to continuously monitor the
complex legal system of ownership, let alone nexus' of business
operations. And if you can't be certain, and can't measure it, then
are you actually providing value?
Diversity requirements are about reducing the likelihood of
simultaneous coercion, as it can never be ruled out that some powerful
organization already engaged in such things could use some of its
backhanded tactics to subvert a log operator that is entirely outside
its direct jurisdiction.
History has taught us that such things do happen from time to time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
