On Fri, May 17, 2019 at 1:21 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 17/05/2019 01:39, Wayne Thayer wrote: > > On Thu, May 16, 2019 at 4:23 PM Wayne Thayer <wtha...@mozilla.com> > wrote: > > > > I will soon file a bug requesting removal of the “Certinomis - Root CA” > >> from NSS. > >> > > > > This is https://bugzilla.mozilla.org/show_bug.cgi?id=1552374 > > > > To more accurately assess the impact of distrust, maybe someone with > better crt.sh skills than me should produce a list of current > certificates filtered as follows: If you feel this is important to consider, especially if it may impact any proposals, may I ask why you waited so long to suggest this, and how you see this information being used now? There is value in analyzing the information when exploring options, and I have no doubt, given how trivial it is to explore this information from CT, that it was and has been taken into consideration. It was certainly something I looked at when Wayne proposed options, and it’s clear that Andrew Ayer has run similar analysis. However, I do not believe it valuable or productive to be suggesting at this venture, and I think it’s a particularly unhelpful way to engage to suggest to do so. If you feel that such information should change how things progress, or you’re unsure of whether it has been taken into consideration, it seems that concern could have been raised over the past month of discussion. The suggestion, as presented, does not lead to any concrete behavior changes - it’s merely presented as information for informations sake. If there is a feeling that it should change something: the proposed next steps, the timeline, the implementation details of the action, that the next steps are too risky, etc, then it is far more productive to simply state that, and explain your point of view, so as to justify why you believe it valuable to look at this information. It has been considered. If you would like to consider it for yourself, the information is readily available. If you believe the information should change things, you should say so, and during the community discussion phase. As presented though, I’m not sure it’s a very useful or helpful statement, so something clearer would be much more beneficial. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
