On Thu, Nov 8, 2018 at 8:51 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Over the years, there has been some variation among participants in how > harshly individual mistakes by CAs should be judged, ranging from "just > file a satisfactory incident report, and all will be fine" to "Any tiny > mistake could legally be construed as violating a formal requirement > that would be much more catastrophic under other circumstances, > therefore the maximum penalty of immediate distrust must be imposed". > This doesn't seem like an accurate description of the debates within the Mozilla CA program, or this list, at all. I've never heard anyone make an assertion that sounds like either extreme. The long-term participants here, including those who press CAs hard, have all responded very positively to a timely, detailed incident reports that properly demonstrate an understanding and addressing of root cause. There have definitely been quite a few CAs who have had incident reports dragged out of them, or filed incident reports that addressed surface level issues without any seeming acknowledgment of the gravity of the issue. Where incidents with little _immediate_ security impact have occurred (such as certain kinds of spec non-conformity), they have typically become major issues not on the depth of perceived impact, but when there is a failure to acknowledge that poor responses to small issues are highly predictive of future large issues, or a long-term pattern that demonstrates this empirically. The major distrust events of the last few years have all been preceded by robust discussion and demonstration of long-term issues, and months or years of poor communication with the community. In other words, no one has been tossed on a technicality, and I've never seen any regular member of the community advocate for tossing someone solely on a technicality. > Furthermore, people with some clout tend to shut down all > counterarguments when taking either extreme position, creating situation > there only their own position is heard, making the entire "community" > aspect an illusion. > This isn't my experience at all. Contributions from community members are certainly distributed unevenly, but that seems to correspond most closely to folks for whom participation here is part of their day job. That would particularly be true for those who have spent years engaging in oversight of a shifting array of CAs. And since the Mozilla CA Program itself is a CA oversight program, those members have a very credible claim to represent the community, even if others don't always have the time or mandate to devote time to articulating the same arguments. In general, I don't believe this post is well-grounded in fact, and presents an inaccurate view of the Mozilla CA program's history. As a result, I don't think it's likely to produce a constructive discussion. -- Eric -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
