I'm mostly with you. But Mozilla could issue a blanket moratorium on the issuance of CA=YES certs to external organizations; Verisign would, during the moratorium, only be allowed to issue chained CA certs for Verisign properties.
They could do that today. Nothing would break.
Then they could spend some time --- spend as much time as they like, really --- coming up with a policy that allows extraordinarily trusted companies to sponsor and sign subCAs.
But they didn't do that. It's not just that they only issued a letter; it's that the letter is comically weak.
They could do that today. Nothing would break.
Then they could spend some time --- spend as much time as they like, really --- coming up with a policy that allows extraordinarily trusted companies to sponsor and sign subCAs.
But they didn't do that. It's not just that they only issued a letter; it's that the letter is comically weak.