On Sun, Jul 12, 2020 at 10:13:59PM +0200, Oscar Conesa via dev-security-policy wrote: > Some CAs may want to assume a leadership role in the sector and unilaterally > assume more additional strict security controls. That is totally legitimate. > But it is also legitimate for other CAs to assume a secondary role and limit > ourselves to complying with all the requirements of the Root Program. You > cannot remove a CA from a Root Program for not meeting fully SUBJETIVE > additional requirements.
I fear that your understanding of the Mozilla Root Store Policy is at odds with the text of that document. "Mozilla MAY, at its sole discretion, decide to disable (partially or fully) or remove a certificate at any time and for any reason." I'd like to highlight the phrase "at its sole discretion", and also "for any reason". If the CA Module owner wakes up one day and, having had a dream which causes them to dislike the month of July, decides that all CAs whose root certificates have a notBefore in July must be removed, the impacted CAs do not have any official cause for complaint. I have no doubt that such an arbitrary decision would be reversed, and the consequences would not make it into production, but the decision would not be reversed because it "cannot" happen, but rather because it is contrary to the interests of Mozilla and the user community which Mozilla serves. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
