On Thu, Mar 19, 2020 at 9:58 AM Wojtek Porczyk <w...@invisiblethingslab.com> wrote:
> On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via > dev-security-policy wrote: > > [...] but given that some negligent and > > irresponsible CAs kept agitating to reduce revocation requirements than > > protect users, the ballot was kept simple. > > > [...] I worry the same set of negligent and irresponsible > > CAs will try to advocate for more CA discretion when revocation, such as > > allowing the CA to avoid revoking when they’ve mislead the community as > to > > what they do (CP/CPS violations) or demonstrated gross incompetence (such > > as easily detected spelling issues in jurisdiction information). > > > > I would hope no CA would be so irresponsible as to try to bring that up > > during such a discussion. > > If I'm reading this correctly, you're labeling some CAs as negligent, > irresponsible and incompetent basing on the discussion and/or voting in > CA/B > Forum. > No, you're not reading correctly. The adjectives are based on quantifiable, systemic, repeat actions and incidents; they're pre-existing adjectives, independent of the discussion topics they take up. It just happens that those who bear the adjective happen to be the most likely to start those discussions, and were the ones most vocal in the past. Presumably, this is because they're the most likely to benefit, financially and reputationally, from shifting their liability and responsibility onto end users, or because they think in localized instances (such as "their" customer and "their" CA), without appreciating the systemic risk it can be introduced when it's "any" customer and "any" CA. The exception to this would be irresponsibility, which it would be irresponsible to try to attach "poison pill" riders that have been repeatedly discussed and rejected, when there exists real opportunity to keep things simple and improve them. Discussions of revocation requirements always seem to bring out folk who want to relitigate everything, rather than making the necessary progress in meaningful ways. That's the irresponsibility. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy