On Mon, Mar 23, 2020 at 6:18 PM Burton <j...@0.me.uk> wrote: > Hi Ryan, > > I’m in the believe that CAs are a public service and as such they should > provide public information regarding their operational status. The > questions outlined below were open ended to provide CAs flexibility in the > way they approach answering the questions. >
While I appreciate that explanation, I disagree that there's much more value to be had versus asking CAs what their favorite color was or how they were feeling today. These questions are vague, and your further comments (quoted) only emphasize the "damned if they do, damned if they don't" approach you're proposing, which I think is quite unhealthy. I believe that the questions are of value to the community only if CAs > cooperate by providing answers that are useful, brief and to the point > instead of non useful throwaway answers. > > To end, I do hope that most if not all CAs answer these simple questions > As a party deeply invested and interested in the trustworthiness of CAs, I cannot help but again stress that these are anything but simple. > as it doesn’t look good if they don’t because CAs are about trust and > trust is fulfilled by being open as they can be regarding their operations. > Without said openness there is no trust. > I think it's worth asking whether that same justification applies to asking CAs what their favorite color was, or how much each person makes, or what they had for breakfast. You might think that's not fair, because operational status is, yanno, operational, but the lack of definition here is so profound that it makes the questions meaningless. I also worry that rather than improve participation here by CAs, it serves as a barrier and a justification for why they shouldn't, if "just anyone" can submit questions that they have to answer, are judged if they don't, and judged if they do. The policy doesn't require that degree of participation, as it says (emphasis added): CAs MUST follow and be aware of discussions in the mozilla.dev.security.policy forum, where Mozilla's root program is coordinated. They are encouraged, *but not required,* to contribute to those discussions. I think the process of formal CA Communications is designed to try to ask questions that are crisp, clear, and actionable - which is why these communications undergo public review for feedback before they're sent, to try to make sure they're asking the right questions. It also helps clarify what's required, and what isn't. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
