On 01/06/17 13:49, Ryan Sleevi wrote: > I would encourage you to reconsider this, or perhaps I've misunderstood > your position. To the extent that Mozilla's mission includes "The > effectiveness of the Internet as a public resource depends upon > interoperability (protocols, data formats, content) ....", the > well-formedness and encoding directly affects Mozilla users (sites working > in Vendors A, B, C but not Mozilla) and the broader ecosystem (sites > Mozilla users are protected from that vendors A, B, C are not).
My point is not that we are entirely indifferent to such problems, but that perhaps the category of "mis-issuance" is the wrong one for such errors. I guess it depends what we mean by "mis-issuance" - which is the entire point of this discussion! So, if mis-issuance means there is some sort of security problem, then my original definition still seems like a good one to me. If mis-issuance means any problem where the certificate is not as it should be, then we need a wider definition. I wonder whether we need a new word for certificates which are bogus for a non-security-related reason. "Mis-constructed"? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
