It's not just 'a promise', it's a contractual agreement. I honestly find the resurgence of this CP/S discussion rather odd as I was under the impression it was re-discussed and agreed over a year ago with Entrust.
The decision to start talking about credits to subscribers is also rather narrow-minded on commercial CAs and their financial relationship with subscribers. That has no bearing on a CA's trust to relying parties, nor is it relevant to CAs that do not operate commercially such as Let's Encrypt. With regards to a disconnection between actual practices and what the contractual document states: that is a CA's problem to fix, and incentives must exist to that end. What is the actual outcome that people want from a discussion on this front ultimately? We're approaching a bizarre choice to lower all expectations for any statement by a CA in legally binding documents to mean anything, on the off-chance that they are held accountable and must face minor repercussions. How is this creating a more trustworthy and transparent environment for the WebPKI to operate in? Frankly that the topic is also being brought up at CAB/F shows a lack of willingness by CAs to keep to their own agreements, and that reflects on the trust between parties. We can talk about automatically generating the certificate profile off of the actual configuration of issuance systems, but that seems to be a minor point of discussion and a bit irrelevant to the issue at-hand. - Wayne On Thursday, June 12, 2025 at 4:09:18 PM UTC+1 Tobias S. Josefowitz wrote: > On Thu, 12 Jun 2025, Ryan Hurst wrote: > > > A document that says "We do X, we do Y" but also says "YOLO" isn't much > of > > a promise in my opinion, and CPSs are intended to be a promise. > > It isn't, and Relying Parties could interpret that as such. However when a > CA makes meaningful commitments and backs those up with "If we don't, > it'll actually have a price tag for us.", that's something else. I can > easily see how this can usefully inform trust decisions by Relying > Parties. Much better than not mentioning it. > > Some mechanism to prevent this from straying into a PR opportunity "we > strive for excellence, but no promises!" might be adequate, but that > doesn't preclude the usefulness of commitments backed by something less > than revocation that otherwise wouldn't be made. > > Tobi > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/51e208ac-78b8-4d41-a86f-df7a0a90e416n%40mozilla.org.
