On Fri, Dec 07, 2018 at 08:13:24AM -0800, pilgrim2223--- via dev-security-policy wrote: > As a retail organization we are in a moratorium till 1/2/2019 this happens > every year. So nothing is being done that may jeopardize selling of > widgets!
Choosing to not do something is, itself, doing something. > The project owners claim that timeline is impossible, and deploying 30 day > validity certs is a similar level of effort without the code changes, and > even that may not be possible. By a strict reading of the BRs, these missued certificates should have been revoked within, at most, five days. If future problems are identified, that may happen. So I suggest you talk to your project owners, apprise them of the situation, and take steps to allow your systems to be able to react in line with this potential timeline. > To be perfectly clear here. We are 100% on board with a depreciation of > the underscore (once we learned there was and issue with them from our CA > we started restricting their issuance) This is not a change in the rules (the BRs have always forbidden this type of issuance), nor is it even a change in external circumstance (new research results showing something that was thought to be safe wasn't). Your CA sold you something they shouldn't have, and which they should have known they shouldn't have. If you're unhappy with what your CA sold you, I would recommend discussing the problem with them, perhaps with the assistance of your legal team. > now, and does not pose a security vulnerability. I assume you've got something to back up that statement, beyond "I can't think of any way this could be a security vulnerability". There are more implementations in heaven and earth than are dreamt of in your philosophy, and all that. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy