> On Jan 18, 2018, at 08:53, Ryan Sleevi <r...@sleevi.com> wrote: > > If Mozilla was committed to an equitable set of criteria for both incumbents > and newcomers, then one natural consequence of this is that all incumbents > should be required to rotate their keys to new roots, created under audit > criteria acceptable to Mozilla, and to transition issuance to these roots. > This is, for what it's worth, notably similar to the consensus proposal > regarding Symantec and the Managed Partner Infrastructure, and serves to > mitigate a broad swath of risks. > > So I don't see any argument suggesting it *shouldn't* apply to existing roots > - if anything, such a policy requirement would go substantially to both > reduce the benefits afforded to incumbents through entropy, and to ensure > that Mozilla's users are adequately protected as the emerging security and > threat landscape changes. It does not prevent devices which cannot update (as > you can cross-certify), but ensures that the security critical, > responsibly-developed applications that do update can ensure their users are > protected.
Yes, this is what I was thinking when I wrote the initial email. There are massive security benefits to Mozilla’s users if all CAs roll their roots and are re-evaluated after implementing an updated inclusion policy and ongoing requirements based on the goals that Alex described. I don’t think the conversations are separate. They are necessarily the same. It doesn’t make sense to update the inclusion policies and not look at roots that are already included unless you want to continue favoring incumbents. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
