On 2021-01-19 11:02, Ramiro Muñoz wrote:
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
We don’t ask the community to disregard the data, on the contrary we ask
the community to analyze the data thoroughly including the impacts
produced.
OK, I'll bite. As a member of the community, I've analyzed the data
thoroughly, and I'm not impressed. Camerfirma does not appear to grasp the
fact that "nothing bad has happened yet" is a *bad take*. "Nothing bad has
happened yet" is how every CA starts its life. It is not something to be
proud of, it's the absolute bare minimum. The volume of incidents that
Camerfirma has had is troubling, but it's the repetition of the nature of
the incidents, and the lacklustre way in which they have been responded to,
that causes me to think that Camerfirma has no place in the Mozilla trust
store.
- Matt
Dear Matt,
Thanks for your input, we really appreciate your time in contributing to this
discussion.
We are trying to make this discussion as objective as possible, and talking
about objectivity I’d like to ask you where does the ‘bare minimum’ threshold
stands according to Mozilla Root Store Policy. And why you are positioning
Camerfirma below such a ‘bare minimum’ bar considering that Camerfirma,
according to the public data, is not the member with the highest number of
incidents nor the member with the most severe ones.
I think you misunderstand Matt's mail.
If "something bad has happened" was the case, this would be a much
different discussion. As far as we know, you're still meeting the bare
minimum. But the bare minimum is not good enough.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
