Self-assessment is insufficient :-) That's why we require audits, review issued certificates for technical violations, and attempt to empower domain owners to identify misissuance.
As we move to a world with greater participation of public CAs in Certificate Transparency (hopefully 100% eventually), we can increasingly rely on objective measures to judge across CAs. Alex On Thu, Jan 18, 2018 at 4:23 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 17/01/18 14:54, Alex Gaynor wrote:> In summary, I think we should > focus less on the questions of whether a CA > > is "appropriate" or "deserving" of participation in the Mozilla Root > > Program, and more on whether they are willing and able to fulfill the > > expectations of them as a steward of global trust on the internet. > > If you ask any applicant "are you willing and able to fulfil what is > expected of you as a steward of global trust on the Internet?", and they > know they have to say "Yes" to get in, they will say "Yes". So is the > upshot of your position that anyone who wants to apply can get in? > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy