On Wednesday, 27 September 2017 18:56:27 UTC+2, Kathleen Wilson wrote: > In past incidents, we have provided a list of action items that the CA must > complete before they can be re-included in Mozilla's root store. > > What action items do you all think PROCERT should complete before they can be > re-included in Mozilla's root store? > > What do you think should happen if PROCERT completes those action items > before their PSCProcert root is actually removed?
This it about trust. No more, no less. Once you've lost trust, what can be done to restore it really depends on how you've lost it. Jumping through a series of Mozilla defined (technical) hoops is never going to be convincing. Especially not if it takes more several tries. ;-) So, was it incompetence? Then show that the lacking skills have be acquired. Was it human error? Show that you are not relying on human accuracy anymore. Etcetera... And it makes definitely most sense parties who loose trust come up with a relevant plan for this themselves. That is, after identifying what the problem was themselves. They will unfortunately have to do that transparently. Here where everybody can see it. And where questions can be asked about it and answered. This will definitely be a lot of work and it will certainly not be easy. But I'd say that anything less is too little to result in regaining trust. (Apart from this I personally don't think any CAs will/should be able to find a way back from loosing trust through willfully lying.) CU Hans _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
