On Thu, Jan 25, 2018 at 11:48 AM, Jonathan Rudenberg <jonat...@titanous.com> wrote:
> This is a great improvement. I think we should also ask that any CAs using > these methods immediate disclose that they are and the procedures they are > using, as well as the date they expect to complete a review of their > implementation, and then provide the review when it is complete. The scope of this issue is much different from the method .9 and .10 vulnerabilities - lot of CAs use methods .1 and .5. Asking them all to answer these questions seems likely to just yield a bunch of "we reviewed our implementation and it is perfect" emails. What do you hope to learn from this disclosure that hasn't already been discussed? What do others think? If we want to hold CAs accountable for this disclosure, we'll need to turn this communication into a survey and give CAs a certain amount of time to respond, so we won't have answers for weeks. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy