On Sun, Mar 3, 2019 at 5:54 PM Matthew Hardeman via dev-security-policy < [email protected]> wrote:
> On Sun, Mar 3, 2019 at 2:17 PM bxward85--- via dev-security-policy < > [email protected]> wrote: > > > > > Insane that this is even being debated. If the floodgates are opened here > > you will NOT be able to get things back under control. > > > > While I can appreciate the passion of comments such as this, I think we're > still back at a core problem: > > How can you reconcile this position with the actual program rules & > guidelines? If they're declined on some discretionary basis, you loose the > transparency that's made the Mozilla root program so uniquely valuable. It is not clear how this follows. As my previous messages tried to capture, the program is, and has always been, inherently subjective and precisely designed to support discretionary decisions. These do not seem to inherently conflict with or contradict transparency. Even setting aside the examples of inclusions - ones which were designed to be based on a communal evaluation of risks and benefits - one can look at the fact that every violation of the program rules and guidelines has not resulted in CAs being immediately removed. Every aspect of the program, including the audits, is discretionary in nature. It would be useful to understand where and how you see the conflict, though. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
