On 18/01/18 14:24, Ryan Sleevi wrote: > Or, conversely, that we cannot discuss inclusion policies in isolation from > discussion root policies - we cannot simultaneously work to strengthen > inclusion without acknowledging the elephant in the room of the extant CAs.
We aren't necessarily "strengthening" inclusion, in the sense of making it harder to get in - the outcome of the discussion could be a loosening. If we come up with new inclusion criteria and some existing CAs do not meet them, we would need to have a separate discussion to decide what to do, with the main options being grandfathering them in, restricting them in some way, or removing them. > Isn't this effectively the VISA situation? When were their first audits - > late 2016 / early 2017? I'm not certain; I'll ask Kathleen. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy