Nadim and Matthew, Can you explain and provide examples for how this "set of empirical requirements" differs from the objective requirements that currently exist?
Nadim, your latest suggestion sounds different from your earlier suggestion that Mozilla provide a "set of unambiguous statements for which it would require DarkMatter to categorically and fully deny." In my opinion, the question is not if DarkMatter can make such promises (their CP already states that “Public Trust Issuing CAs in the UAE National PKI must not be used for Man in the Middle (MITM) purposes”), but if DarkMatter is trusted to uphold such promises. - Wayne On Thu, Mar 7, 2019 at 9:10 AM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Mar 7, 2019 at 9:18 AM nadim--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I would like to repeat my call for establishing a set of empirical > > requirements that take into account the context of DarkMatter's current > > position in the industry as well as their specific request for the > > inclusion of a specific root CA. > > > I also concur in this to the extent possible. > > > > While I don't necessarily fully support the method with which Benjamin > > chose to address Ryan's contributions to the discussion so far, I think > > we're all choosing to kid ourselves here if we continue to say that the > > underlying impetus for this discussion isn't primarily sociopolitical. > The > > sooner an end is put to this, the better. > > > > I concur in as far as the result, which is to say that I don't necessarily > say that it _is_ "primarily sociopolitical" but rather that there is at > least the appearance and nearly indefensible criticism that it could be. > > > > The right thing to do, right now, is for there to be a documented process > > through which a set of empirical, falsifiable, achievable requirements > are > > set by either Mozilla, the CABForum, or both, for DarkMatter to fulfill > so > > that they can be considered for inclusion. If these requirements are (1) > > defined fairly and (2) achieved by DarkMatter verifiably, then great. > > Otherwise, too bad. > > > > Indeed the ramifications of a discretionary revocation of the intermediates > or block from joining the root program, if not objectively and cleanly > explained, would likely have a chilling effect on ANY newcomer. When a > reasonable, documentable, objective path to earning and maintaining trust > in the program exists, investment of time and resources can reasonably > flow. A new counter-case of an organization that has met all the > requirements and still somehow doesn't meet the bar would be most > discouraging. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
