On 24/01/18 22:19, Jonathan Rudenberg wrote: > While these CAs might want six months, it’s not clear that a good > argument has been made for this. Let’s Encrypt stopped validating > using the TLS-SNI-01 method under two hours after learning that there > was a *potential* security vulnerability in the validation method. > Why should we expect any less from other CAs? We should err on the > side of protecting users, not CAs using insecure validation methods > that don’t even stand up to a small amount of adversarial scrutiny.
Six months may or many not be the right timeline, but I don't think it's fair to compare removing an option in an automated process (which was, in fact, subsequently restored for existing customers within a few days) with retraining all your validation specialists to use a different manual process. Such work cannot be done in 2 hours. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy