On Thu, Feb 9, 2017 at 9:56 PM, Richard Wang via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > I can't see this sentence > " I highlight this because we (the community) see the occasional remark like > this; most commonly, it's directed at organizations in particular countries, > on the basis that we shouldn't trust "them" because they're in one of "those > countries". However, the Mozilla policy is structured to provide objective > criteria and assessments of that." > has any relationship with this topic, please advise, thanks.
I think the point is that issues raised about CAs need to be grounded in fact. "Universal Trust Services wrote Y in their CPS but did not do Y as demonstrated by Z" is something that can be evaluated factually "UTS wrote Y in their CPS but might not being doing Y" without any evidence is not something that can be evaluated factually. I agree with Ryan; we tend to see the second type of issue come up more often with CAs from certain countries. This sort of non-data driven issue is not appropriate to raise. Instead show what should have happened and what did not. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
