On Wed, Jan 17, 2018 at 7:54 AM, Alex Gaynor <agay...@mozilla.com> wrote:
> Hi Wayne, > > After some time thinking about it, I struggled to articulate what the > right rules for inclusion were. > > Yes, that is the challenge. So I decided to approach this from a different perspective: which is that I > think we should design our other policies and requirements for CAs around > what we'd expect for organizations operating towards a goal of securing the > Internet as a global public resource. > > Towards that goal we should continue to focus on things like transparency > (how this list is run, visibility of audit statements, certificate > transparency) and driving technical improvements to the WebPKI (shorter > certificate lifespans, fewer allowances for non-compliant certificates or > use of deprecated formats and cryptography). If organizations wish to hold > themselves to these (presumably higher) standards for what could equally > well be a private PKI, I don't see that as a problem. On the flip side, we > should not delay improvements because CAs with limited impact on the public > internet struggle with compliance. > > Can we separate the ongoing work we need to do to improve the ecosystem from a decision on root inclusion criteria? Or are you saying that we need to set new requirements like these as a condition for changing the root inclusion criteria? In summary, I think we should focus less on the questions of whether a CA > is "appropriate" or "deserving" of participation in the Mozilla Root > Program, and more on whether they are willing and able to fulfill the > expectations of them as a steward of global trust on the internet. This has > the nice benefit of aligning well with Mozilla's mission to ensure the > internet is a global public resource, open and accessible to all. > > With this approach we would welcome any CA that can meet the program's requirements, regardless of the intended use of their certificates. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy