I concur that framing as reward versus punishment was not right. No where did I meant to imply that early actors should get a free pass in as far as continuing unmitigated validation using a vulnerable validation method.
The early discoverers and those who reacted early to the vulnerability and stopped validating have a natural protection of mass attacks upon the issue becoming prevalently known. As such, perhaps those who reacted quickly and earlier than others have the advantage of not needing explicit revalidation for those validations which were compliant -- at least validations up to a given time point. Perhaps those who later reveal their reliance on these methods have higher burdens of remediation, owing to the natural risk that occurs from being vulnerable for extended time after significant publication of the issue and owing to the overall risks evidenced by slow reaction to the initial reports? On Fri, Jan 19, 2018 at 1:23 PM, Ryan Sleevi <r...@sleevi.com> wrote: > > > On Fri, Jan 19, 2018 at 1:44 PM, Matthew Hardeman <mharde...@gmail.com> > wrote: > >> Ultimately, if it should arise that other CAs who rely on mechanisms >> implementing or claiming to implement method #10 have similar risk and >> vulnerabilities, those CAs should be called to task for not having timely >> disclosed and remediated. Further, perhaps those CAs should suffer the >> burden of mandatory revalidation under a different mechanism, as the >> vulnerability category has now been acknowledged in the community for some >> time and the recent press has been significant. >> >> In contrast, I think any remediation plan should reward Let's Encrypt and >> GlobalSign for their diligence and compliance to best practice. >> > > I disagree with this notion of 'rewarding' some CAs by letting the first > to disclose be allowed to continue to use methods that put users at risk. > Global user trust is not a 'reward', and removing that trust is not a > 'punishment' - it is a calculation of risks based on available and > mitigating factors. > > Framing it as 'reward' or 'punishment' unduly manipulates the discussion, > because it suggests the notion of favorability / unfavorability, when the > reality is that it's an objective evaluation across a multitude of > dimensions. > > Should those who have not come forward be called to task? Yes. Because > they're ignoring industry best practice and they should revoke all of their > certs due to the 'unacceptable risk' clause. That's not a punishment. > That's mitigation based on the available information (i.e. none, for those > that didn't self-disclose) > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
