On 02/05/17 00:01, Ryan Sleevi wrote: > Thank you for > 1) Disclosing the details to a sufficient level of detail immediately > 2) Providing regular updates and continued investigation > 3) Confirming the acceptability of the plan before implementing it, and > with sufficient detail to understand the implications
I echo Ryan's comments here. I'm happy with your remediation plan, and think there's enough wiggle room in the BRs and Mozilla policy that revocation of the certs with "N/A" etc. is avoidable. I still think we need to address that 24-hour revocation requirement to be a bit more nuanced, but that's a separate discussion :-) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy