On 07/08/17 22:30, Jakob Bohm wrote: > Since the CT made it possible, I have seen an increasing obsession with > enforcing every little detail of the BRs, things that would not only > have gone unnoticed, but also been considered unremarkable before CT.
I am firmly of the opinion that all BR and RFC violations are of interest to the community. That is a separate question from what should be done about them. > Do we really want the CA community to be filled with bureaucratic > enforcement of harsh punishments for every slight misstep? No. I would expect responses (I wouldn't use the word 'punishments') to be appropriate to the level of problem they are addressing. However, there is a cumulative element to CA problems because it speaks to competence. A CA's job, in the abstract, is to read a large number of documents full of rules and build a system which keeps those rules and doesn't allow them to be broken. Therefore, instances of rule-breaking are of interest to those whom the CA would like to trust their system, because they indicate either a lack of comprehension of the rules or a lack of ability to write code that follows them, both of which are of interest. This is not to say that we expect perfection from every CA. But when things do go wrong we expect a particular sort of reaction (more on that soon, I hope), and we don't expect different things to be going wrong every month, or the same thing to be going wrong multiple times. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
