The original incident report contained all of the details of the initial filing. The additional, separated reports are trickling in as I get enough info to post something in reply to the updated questions. As the questions asked have changed from the original 7 in the Mozilla incident report, getting the info back takes time. Especially during the holiday season. We’re also working to close out as many without an exception as possible. Note that the deadline has not passed yet so all of these incident reports are theoretical (and not actually incidents) until Jan 15th. I gave the community the total potential number of certificates impacted and the total number of customers so we can have a community discussion on the overall risk and get public comments into the process before the deadline passes. I’m unaware of any policy at Mozilla or Google that provides guidance on how to file expected issues before they happen. If there is, I’d gladly follow that.
I’ve started 3 bugs while closing out two additional customers. I have enough info to file maybe 1-2 more reports. The rest will probably be filed after the new year when people are back working. From: Ryan Sleevi <r...@sleevi.com> Sent: Thursday, December 27, 2018 11:24 AM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: r...@sleevi.com; dev-security-policy@lists.mozilla.org Subject: Re: Underscore characters On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> > wrote: Much better to treat this question as “We know X is going to happen. What’s the best way to mitigate the concerns of the community?” Exception was the wrong word in my original post. I should have used “What would you like us to do to mitigate when we miss the Jan 15ht deadline?” instead. Apologies for the confusion there. As I tried to highlight several times during early discussions, it's not really ideal to have each of these trickle in over time. DigiCert has apparently decided that for 14-15 customers it has sufficient information to know that X is going to happen, based on their risk analysis. Why are we seeing bugs trickle in, such as https://bugzilla.mozilla.org/show_bug.cgi?id=1516545 ? It would seem uncontroversial to suggest that, as part of the risk analysis that DigiCert is claiming has already been done, that it has all the information for an incident report for all of the customers it expects to not revoke certificates for. If it doesn't, then it suggests that the risk analysis is not being done responsibly, and being outsourced to the community to perform. Should we expect another 12 bugs to be filed? If so, when? If not, why? As mentioned, if treating this as part of a "Responding to underscores" incident, then this has the effect of being a slow trickle of an incomplete incident report overall, and incomplete remediation plan, and those tend not to bode well. I don't think it'd really be engaging with mitigating to, say, file a bug on Jan 14th - so how do we move the discussion forward and make sure the facts are available?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
