On Wed, 22 Nov 2017 13:00:40 -0500 Ryan Sleevi via dev-security-policy <[email protected]> wrote:
> But would such statements, such as "I promise I won't do X again, and > look, here's a document that now says explicitly 'We have trained > sharks and equipped them with lasers to ensure we do not do X again'" > be seen as a sufficient mitigation? I don't see any reason why we would want to take that risk. It's not easy to spin up a new CA, but it's also not rocket surgery. Why should we prefer to re-admit a previously distrusted organisation over taking a chance with someone new and untried ? Is there a shortage of organisations interested in this role ? I don't think so. Running a publicly trusted CA is not a right which was temporarily suspended, it's a privilege you might earn, Mozilla should operate with a default assumption that losing this privilege is permanent. Nick. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
