Eddy Nigg wrote: > Frank Hecker: >> Yes, I'll do that. (Incidentally, I'm now calling it the "potentially >> problematic practices" list, because there's a lack of consensus on the >> extent to which some of these practices are problems in general.) > > Frank, where is the lack of consensus exactly?
IIRC the reason I changed the wording to "potentially problematic" was that some of the practices weren't necessarily "problematic" in all contexts, at least IMO. Thus, for example, distributing private keys using PKCS#12 is not necessarily a problem, rather it's a problem if the CA doesn't exercise proper care in how the keys are distributed. The issue here may be in how we interpret the word "problematic". I was interpreting the term "problematic" to be simply a fancy way of saying "this *is* a problem", as opposed to "potentially problematic", which to me means "this *could be* a problem". > I saw that Kathleen is already asking new applicants for CA cert > inclusions those questions from the "Problematic Practices" which I > think to be quite effective. Yes, I encouraged Kathleen to collect that information, so we could get a better idea as to how widespread these practices are, and where they might constitute real problems. (I was also trying to anticipate any concerns you might express :-) Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto