To try and minimize some of the tone-policing ad hominem, arguments from authority, and thread-jacking, especially on-list, let's circle back to the subject of this thread, and hopefully you can offer constructive solutions there.
Is my understanding correct that your concern is you don't believe it's appropriate to discuss concerns about systemic patterns of misissuance, to highlight specific CAs that have demonstrated misissuance despite every reasonable effort to prevent it, and to suggest that it's reasonable to consider solutions such as either distrusting CAs (If this is simply "a few bad apples") or systemic changes (if this is "all CAs")? Before you veered well off-topic into tone policing, it did seem that the gist of your argument was that you don't think it's reasonable or appropriate to suggest that removing trust in CAs might be an appropriate remediation to sustained patterns of failure? In the spirit of finding productive solutions, rather than hijacking threads, perhaps you could offer suggestions on what you believe could or should have been done to prevent the issues like we saw. As noted in the original message, Mozilla sent a CA communication reminding CAs of the upcoming change, and requiring they positively confirm that they would abide by it. However, that still failed. This was not a new requirement Mozilla was introducing, but one introduced by Microsoft some time ago. Every one of the CAs responded that they understood the requirement and would abide by it. What, in your opinion, could or should have been done to prevent this? If your view is that nothing can prevent it, then yes, we'll disagree, and a position of accepting those flaws without attempting to prevent them is likely to find no purchase here. If your view is that something could have been done, but wasn't, then it'd be useful to understand what was missing. It's unclear if you had thoughts to share on the topic, but if you'd like to suggest it's inappropriate to distrust CAs, or to question whether there are systemic flaws in the CA ecosystem if such events are functionally inevitable, then my hope is you'd have solutions you can offer, and ideas that have not yet been considered. Those would be examples of productive contributions. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
