On Wed, Mar 1, 2023 at 9:57 PM Ryan Hurst <ryan.hu...@gmail.com> wrote: > > Jeremy, > > I wanted to respond to your other two comments. > > [JR] That wasn’t proposed language. That was pointing out a flaw in saying > “No censorship is allowed”. > > To be clear, my proposed language did not say “no censorship is allowed”. > Suggesting so would be what I think most would consider a straw man argument. > What I did say, in essence, is that said censorship only when served the > legal obligations of the CA or requirements of other root programs. > > This in essence says if a government says we want you to censor people here > is the definition we want you to follow. If a root program wants you to > censor here is the standard we want you to follow and Mozilla respects their > right to do so. > > Basically, there needs to be a clear standard so it is applied uniformly.
I'd like to suggest a more generalized approach to the issue. First off we should require that the CPS cover in detail who the CA issues for, and what will lead to non-issuance. That information is important for evaluating the risk vs. reward of adding a CA. Secondly we should say that content based restrictions are inappropriate vs. e.g. "we only serve educational institutions", "we only serve *.ir domains", etc. Otherwise I think we'll end up debating the merits of a particular decision endlessly vs. separating into the CPS and whether it was followed. The other point I want to raise is that if CAs broadly have limited sets of issuance, we might be in a situation where some websites could not transition in case of distrust. That would be problematic for the health of the ecosystem, and is a reason we need to evaluate who CAs will and will not serve. Sincerely, Watson -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0c%3DPnv-%3DjzG%3DWRk9XOcnePd%2BzyToE5QCknjVHtw0rnHJpQ%40mail.gmail.com.
