On Fri, Sep 8, 2017 at 2:39 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 07/09/2017 17:17, Gervase Markham wrote: > >> Mozilla has decided that there is sufficient concern about the >> activities and operations of the CA "PROCERT" to collect together our >> list of current concerns. That list can be found here: >> https://wiki.mozilla.org/CA:PROCERT_Issues >> >> Note that this list may expand or reduce over time as issues are >> investigated further, with information either from our or our >> community's investigations or from PROCERT. >> >> We expect PROCERT to engage in a public discussion of these issues and >> give their comments and viewpoint. We also hope that our community will >> make comments, and perhaps provide additional information based on their >> own investigations. >> >> When commenting on these issues, please clearly state which issue you >> are addressing on each occasion. The issues have been given identifying >> letters to help with this. >> >> At the end of a public discussion period between Mozilla, our community >> and PROCERT, which we hope will be no longer than a couple of weeks, >> Mozilla will move to make a decision about the continued trust of >> PROCERT, based on the picture which has then emerged. >> >> Gerv >> >> > Although violating the same rules, and involving the same certificates; > for purposes of risk assessment I think issue K should be divided into > two issues: > Note, I was explicitly suggesting we not do this, because this introduces a greater level of subjectivity of assessment, and based on incomplete or unknowable information. For this reason, ensuring a consistent application of risk (e.g. the factors that allowed this to happen are the same) is far more beneficial for the community and for consistency in application of policy. So I do not believe we should split these issues up, and do not think it would help the discussions. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy