On Sat, Nov 05, 2016 at 09:09:49AM +0000, Gervase Markham wrote: > > If they had sent an incident report to Mozilla I would agree, but I do > > not think that CAs should be credited for noticing mistakes when they > > try to sweep them under the rug. This is particularly true in the case > > of SHA-1 misissuance, where revoking without broader notification > > demonstrates not competence but rather a lack of understanding of the > > risks. > > Your point being that if they do disclose, the community can then run > crypto analysis over the cert to see if it's likely to be constructed as > part of a collision attempt?
I think in general we want to hear from CAs about any incident, including BR violations. For all the bugs we filed in bugzilla about SHA-1, 1024 bit RSA keys, and so on there should be an incident report, and it should _at least_ be mentioned in their audit. But they really should send such incident reports to all root programs at the moment they knew about it. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy