On Thu, 12 Jun 2025, Ryan Hurst wrote:
A document that says "We do X, we do Y" but also says "YOLO" isn't much of a promise in my opinion, and CPSs are intended to be a promise.
It isn't, and Relying Parties could interpret that as such. However when a CA makes meaningful commitments and backs those up with "If we don't, it'll actually have a price tag for us.", that's something else. I can easily see how this can usefully inform trust decisions by Relying Parties. Much better than not mentioning it.
Some mechanism to prevent this from straying into a PR opportunity "we strive for excellence, but no promises!" might be adequate, but that doesn't preclude the usefulness of commitments backed by something less than revocation that otherwise wouldn't be made.
Tobi -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ad2c6e68-f203-9395-6a28-3bb62b60ad74%40opera.com.
