On 09/01/2016 11:52 AM, Nick Lamb wrote:
On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote:
Not so, rather according to my assessment, the cost and everything it
entailed (including other risks) to fix that particular issue outweighed
the benefits for having it fixed within a time-frame shorter than that.
It seems to me that was not your decision to make. The relying parties trust StartCom on
the basis that it will do what it said it would do, not just whatever "in your
assessment" offers most benefits to you. The only option that was permissible
without seeking some exception was to cease issuance until the problem was repaired.
First of all the issue can have been considered fixed due to machine
test - evidence for some occurrences took month to resurface and at such
low numbers that couldn't be reproduced (something almost required to
fix a bug). I'm not sure if you or others here are programers, but
knowing how things work and once we had evidence that there was still a
very low occurrence, a plan was set up which included a different
hardware and infrastructure.
To StartCom, ceasing issuance feels like a really big risk, that is understood.
But for the relying parties it's not.
Lets speak about relying parties - how does this bug affect you?
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: start...@startcom.org <xmpp:start...@startcom.org>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
