On Tue, Jun 10, 2025 at 5:45 AM Antonios Chariton <[email protected]> wrote:
> 1) As there’s no single legal framework under which all CAs operate, I > don’t think Mozilla or any other Trust Store can implement a single rule > that fits everyone. This is true for the current population of CAs. It would be possible, AIUI, for a root program to say “we will only admit CAs that are governed by law which honour the choice-of-law provision in our policies”. (That might require root programs to *have* contracts with CAs—I think only one major root program has such things, and they add other kinds of complexity. Would be an interesting legal exploration, I think!) That might mean that not all current or aspirant root CAs continue to be trusted, but I don’t think anyone has a moral right to operate a trusted CA. CAs should be chosen according to their impact on the security and accessibility of the web, IMO, not simply on the basis of having completed some paperwork successfully. If a CA cannot or does not operate according to the trust principles of a root program—be that because of legal injunction or mere incompetence—then they should not be trusted irrespective of how fulsomely their chosen WebTrust auditor sings their praises. (In the history of distrust events, has an auditor ever identified and raised an issue before it impacted the public web?) Mike -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZquSWwYSf_PMR2%3Dis%2BMUVxbx0Mpa2ZVwbCytMgk6k0paZQ%40mail.gmail.com.
