Here's my view: we are already in State B.
Can you point to any financial losses caused by someone falsely trusting certs issued by CAs trusted by Firefox?
Enacting the policy will IMHO make no difference to the state, because we are already there. I would have thought that was abundantly clear from the Shmoo example, but I guess we need more evidence to determine the truth or otherwise.
Everyone got blindsided by the Shmoo thing (although we shouldn't have been), the CA concerned included. Blaming the CA alone is somewhat unfair.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security