On Fri, 9 Nov 2018 14:56:41 +0100 Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> However there are also some very harsh punishments handed out, such as > distrusting some CAs (most notably happened to Symantec and WoSign, > but others are also teetering), and distrusting auditors (most notably > happened to the branch of Ernst & Young that audited the bad parts of > those two). > > A line of arguments often seen is that someone failed once to do > <something> completely right, therefore they cannot be trusted to do > anything similar to <something> right at all, therefore they should no > longer be trusted. I don't think anyone ever said something like that. Particularly I'm not aware of any recent incident where a CA failed *once* and got distrusted. In the cases you mention - Symantec and Wosign - there were multiple issues. In both cases there was also plenty of opportunity for the affected CAs to explain and improve things before a distrust was even considered. It was repeated failures and a long list of issues that led to the distrust. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy