On Mon, Mar 25, 2019 at 5:30 PM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> My ultimate intent was to try to formulate a way in which GRCA could > provide certificates for the applications that they're having to support > for their clients today without having to essentially plan to be > non-compliant for a multi-year period. > Matthew, The existing policy allows for technical solutions to achieve this. Do you think it's unreasonable to expect that a well-operated CA should be knowledgeable enough about PKI and client behaviours to identify and implement such existing technical solutions? If you do, do you have a sense of where the balance is between the community spelling out the technical solutions for such problems versus the CA being able to manage to do so themselves? Considering the critical role that publicly trusted CAs play, it doesn't seem too unreasonable to expect them to be as knowledgeable as this community in matters of PKI, if not more knowledgeable. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy