On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote: > Not so, rather according to my assessment, the cost and everything it > entailed (including other risks) to fix that particular issue outweighed > the benefits for having it fixed within a time-frame shorter than that.
It seems to me that was not your decision to make. The relying parties trust StartCom on the basis that it will do what it said it would do, not just whatever "in your assessment" offers most benefits to you. The only option that was permissible without seeking some exception was to cease issuance until the problem was repaired. To StartCom, ceasing issuance feels like a really big risk, that is understood. But for the relying parties it's not. StartCom could go out of business tomorrow and the relying parties see almost no impact from that. So for them your risk/ reward trades look very different. You must understand this and act accordingly. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy