Re: Fate of Secure Origins in Question?

On Mon, Apr 6, 2015 at 3:34 PM, Brad Hill <hillbrad@gmail.com> wrote:
>>The WebApp Sec group is creating policy and providing implementation
>> guidance based on a particular trust model that's not being followed.
>>How can the WebApp Sec group claim its not their problem when they are
>>predicating functionality like secure origins on it?
>
> All technology has dependencies and foundations.  The policy questions about
> acceptable business practices for binding a name to a key, making assertions
> about that in a certificate, and what audit and control procedures should
> govern that are at a different layer than WebAppSec operates at.
>
> Even if we wanted to talk about it, the people who actually manage these
> issues for browsers and operating systems are not paying attention here -
> they are participating at the CABF and the Mozilla policy list, and that's
> where you need to go to effect any changes.

Thanks Brad. /EOM for me.

If interested, you can follow the issue further at "GeoTrust and
Ubiquitous CA Public Root program,"
https://bugzilla.mozilla.org/show_bug.cgi?id=1151348.

Jeff

Received on Monday, 6 April 2015 20:00:25 UTC