That's fine. I don't necessarily disagree with removing the root entirely but I do think it's a more heavy-handed remedy than is necessary. I view it as the difference between a punch in the chest vs a strenuous poke. This action is a little more elective on Mozilla's part than other cases we've come across. It's warranted and justifiable, certainly, but not ā€ˇcritical like SSLv3 and such. It's very much possible there will be no fallout from this action, but still it's better to be prepared in advance. I do still think it would be a good idea to "get the word out" so that concerned admins can fix their sites before things suddenly stop working. Thanks.
On Fri, Mar 20, 2015 at 10:37 AM, Ryan Sleevi <ryan-mozdevsecpol...@sleevi.com> wrote: On Thu, March 19, 2015 3:53 pm, Peter Kurrasch wrote: I'm in the same place as Ryan here. In many security decisions we make, we have to balance breakage for some people vs. risks for everyone else. When we turned off SSLv3 in Firefox, it was still required by something like 0.3% of websites -- several orders of magnitude more than will be broken by removing e-Guven. We decided to do it because supporting that small fraction of sites would impose a downgrade risk for every other site on the web. The situation is analogous here. The benefit of supporting the very small number of sites that use e-Guven (thanks, Peter B!) does not balance the risk posed to every other web site by having a non-compliant CA still accepted. --Richard
|
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy