> On Tue, 23 Feb 2016 18:57:41 +0000
> Gervase Markham <g...@mozilla.org> wrote:
>
>> Please comment on whether this proposal seems reasonable, being aware
>> of the short timelines involved.
>
> I am opposed. There is no telling how many other organizations are in a
> similar situation due to poor planning or "oversights" on their part,
> and who will also want special treatment. Granting this exception will
> set an expectation that exceptions will be granted in the future and
> therefore that deadlines and deprecations need not be taken seriously.
> That would have a negative effect on efforts to move the security of
> the Internet forward.
>
> Multiple mistakes were made by Worldpay (using public roots, leaving
> the transition to the last minute, and then forgetting to renew before
> the sunset) and Symantec (failing to make sure their customer was
> prepared). They had ample opportunity to avoid a crisis. It is not
> Mozilla's responsibility to dig them out of the hole they have dug for
> themselves, and doing so is contrary to Mozilla's interest in keeping
> the Internet secure.
>
> Additionally, none of the stipulations in the proposal mitigate the
> risk of SHA-1 issuance. Disclosure and revocation do no good if an
> undisclosed, unrevoked certificate (possibly with CA:TRUE) can be
> collided with the disclosed and revoked certificate.
If OneCRL always used the same hash algorithm as the certificate, then any
colliding certificate would also be treated as revoked.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
