On Thu, Jun 5, 2025 at 4:28 PM Mike Shaver <[email protected]> wrote:
> On Thu, Jun 5, 2025 at 4:25 PM Jeremy Rowley <[email protected]> wrote: > >> They don't, but what is the incentive of the CA to give the relying party >> more protection while risking revocation if someone writes the information >> incorrectly. >> > > There's a small part of me, even after all these years, that believes that > the whole point of being a CA is to help secure the web for its users. If > that's not a shared motivation, then our only option is the force of the > BRs and root programs, and we should stop negotiating entirely with > misaligned members of the ecosystem. > (Accidental send.) Like when Taher was originally designing SSL and needed to anchor trust in something, Netscape reached out to companies who (it was believed) could do a good job anchoring that trust such that, wait for it, relying parties could trust the identity of the site they were connecting to. The ability to extract rent from having one's company's random number embedded in the browser is very much a secondary outcome, and clearly not an entirely benign one. Mike -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZquUhumMKJFJf7k0Ae20mDPRsHqtYkuCAR07G-_CK2GqNA%40mail.gmail.com.
