On Thu, Aug 03, 2017 at 02:38:33PM +0000, Ben Wilson via dev-security-policy wrote: > Here is the response from Intesa Sanpaolo concerning the disruption that > revocation will cause to their banking operations:
[...] > Concerning the CA revocation, first of all, I want to underline that for us > it would be a major issue: we don't have enough time and resources to > replace all the certificates before the end of the year and the revocation > of the CA will cause us several critical operating problems with our > infrastructural services. They don't appear to have enough time and resources to run a CA properly, either, and the non-revocation of the CA certificate causes the rest of the Internet critical security problems. Adding the intermediate to OneCRL and revoking on 15th August seems like a reasonable compromise to solve an issue that is, when all is said and done, entirely of their own making. December 31, being nearly five months away, is far too long, IMO. A 15th August deadline gives them 10 days to replace 300 public certs, which is 30 certs to do per day... that seems reasonable for one person to do, and I'm sure there's more than one person at **a bank that runs its own CA** who can do certificate replacements. If that's considered too aggressive a deadline, I'd ask Intesa Sanpaolo what their *absolute* earliest possible date for non-disruptive distrust would be. Then we can decide if that's reasonable or not. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
