Trust me, the disclosure was not buried, and the factual details are being sorted. However, it would be better for the tone and focus of the thread that we make sure to focus on the factual elements, which, as you note, can be publicly obtained easily, than to try to imply there's something wrong with poor translations.
In any event, we have significant information here to evaluate, ranging from the original issues to matters such as the incomplete disclosure of issues certificates, and we should be focusing on those elements, the expectations under the Mozilla policies, and what responses that best balance the need of Mozilla users (relying parties) and the Internet at large. For example, a key question remains is: Can/Should WoSign be trusted after these incidents? If so, is that trust unconditional, or do there need to be improvements, and in what form? If WoSign can no longer be trusted, what steps should be taken to reflect that across Mozilla products, in a way that, ideally, avoids conditioning users, particularly in the emerging markets seemingly most served by WoSign, that TLS errors are OK to ignore? This is where understanding options is important for the discussion. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
