In the WebPKI, the contract analogy collapses: the "other party" isn't a single customer who can waive a breach; it's billions of relying parties who get zero say and zero cure period.
That's why revocation is tied to CPS alignment. Some folks claim that easing enforcement will somehow coax CAs into greater transparency, but when has relaxing the rules ever improved openness in the WebPKI? So far no one has presented an argument that credibly tells the story that the core problem is over-enforcement. Until that happens, I hope the community defaults to a more common-sense interpretation—maybe mine: that CPSs are still after-the-fact paperwork, hand-typed, not used by the organization that publishes them, and everyone just prays no one looks. That's a governance failure, not a transparency strategy. Ryan -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CALVZKwYUcXJnHo677%2Ba5CozZiQ5tiNSts%3Dt7hK-29RtcPnVt2Q%40mail.gmail.com.
