- From: Jeffrey Walton <noloader@gmail.com>
- Date: Mon, 6 Apr 2015 15:59:58 -0400
- To: Brad Hill <hillbrad@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Apr 6, 2015 at 3:34 PM, Brad Hill <hillbrad@gmail.com> wrote: >>The WebApp Sec group is creating policy and providing implementation >> guidance based on a particular trust model that's not being followed. >>How can the WebApp Sec group claim its not their problem when they are >>predicating functionality like secure origins on it? > > All technology has dependencies and foundations. The policy questions about > acceptable business practices for binding a name to a key, making assertions > about that in a certificate, and what audit and control procedures should > govern that are at a different layer than WebAppSec operates at. > > Even if we wanted to talk about it, the people who actually manage these > issues for browsers and operating systems are not paying attention here - > they are participating at the CABF and the Mozilla policy list, and that's > where you need to go to effect any changes. Thanks Brad. /EOM for me. If interested, you can follow the issue further at "GeoTrust and Ubiquitous CA Public Root program," https://bugzilla.mozilla.org/show_bug.cgi?id=1151348. Jeff
Received on Monday, 6 April 2015 20:00:25 UTC