On 16/08/2018 21:51, Matthew Hardeman wrote:
Of late, there seems to be an ever increasing number of misissuances of various
forms arising.
Despite certificate transparency, increased use of linters, etc, it's virtually
impossible to find any CA issuing in volume that hasn't committed some issuance
sin.
The main cause of this seems to be that CT has allowed much more
vigorous prosecution of even the smallest mistake. Your argument
is a sensationalist attack on an thoroughly honest industry.
Simultaneously, there seems to be an increasing level of buy-in that the only
useful identifying element(s) in a WebPKI certificate today are the domain
labels covered by the certificate and that these certificates should be issued
only upon demonstrated control of the included domain labels.
That is a viewpoint promoted almost exclusively by a company that has
way too much power and is the subject of some serious public
prosecution. Cow-towing to that mastodont is not buy-in or agreement,
merely fear.
The rest of your proposal follows from your bad premises and must be
rejected.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
