Jeremy, On Wed, Dec 19, 2018 at 10:55 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Done: > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1515564 > > Thanks for submitting this. > > > It ended up being about 1200 certs total that we are hearing can’t be > replaced because of blackout periods. > > These 1200 are only the ones that can't be replaced by Jan 15th and will cause outages if revoked then? I don't think the information you've supplied is anywhere close to what Ryan asked for or what the community needs in order to make the decision you're asking for. I'm looking for specifics on why every cohort (i.e. every deployment scenario for every customer requesting an extension) of these certificates can't be revoked, such as: * Specific per-customer change freeze dates and the rationale for them * Explanations of the effort and risk involved in replacing them * Reason that publicly-trusted certificates are in use * Reason that the provision for 30-day certificates isn't helpful Only with this information can we have some assurance that any exceptions are limited to the bare minimum and that we're able to learn and improve. Without this information, we're still in the situation of blindly trusting DigiCert to do the right thing, which is no different than having a CA report an incident after the fact. Is it realistic to expect that you can provide the level of detail that Ryan and I are requesting prior to 15-Jan? > From: Ryan Sleevi <r...@sleevi.com> > Sent: Wednesday, December 19, 2018 11:05 AM > To: Jeremy Rowley <jeremy.row...@digicert.com> > Cc: r...@sleevi.com; mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Underscore characters > > > > Look forward to seeing and discussing once the full scope of the request > is shared. > > > > On Wed, Dec 19, 2018 at 12:21 PM Jeremy Rowley <jeremy.row...@digicert.com > <mailto:jeremy.row...@digicert.com> > wrote: > > We will post the full list of exceptions today. > > > > One of the big factors should be the risk to the industry/community if the > certificates aren’t revoked. Perhaps we can identify what the risk to the > community is in revocation delays first? There’s no need to know the exact > certs to talk about what the risk associated with underscore characters is. > Could you please explain the risk to the community in a revocation delay as > the “unreasonable” argument isn’t really supported without that > understanding. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
