On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > So, how long is too long? > This is the crux of the issue for me. If a CA (that really should have stopped responding 'good' for unknown certs back in 2013) needs to select, purchase, and deploy an entirely new OCSP system, is 5 months a really long time? From their perspective, probably not. I don't believe there is a standard answer to this question that can apply to a whole class of issues, but I do think we could do a better job of communicating our expectations when a situation like this arises by making a statement such as 'being a CA that has been granted the public's trust, Mozilla expects problem X to be resolved in Y days'. Responsible CAs will meet the deadline and thus distinguish themselves from CAs that simply aren't taking the problem seriously. Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy