On Thu, Dec 27, 2018 at 01:19:26PM -0800, Peter Bowen via dev-security-policy wrote: > I don't see how this follows. DigiCert has made it clear they are able to > technically revoke these certificates and presumably are contractually able > to revoke them as well. What is being said is that their customers are > asking them to delay revoking them because the _customers_ have blackout > periods where the customers do not want to make changes to their systems. > DigiCert's customers are saying that they are judging the risk from > revocation is greater than the risk from leaving them unrevoked and asking > DigiCert to not revoke. DigiCert is then presenting this request along to > Mozilla to get feedback from Mozilla.
It's worth clarifying that "risk" is not a property of the universe, like magnetic flux density, but rather is assessed relative to specific entities. Thus, when talking about risk, it's worth clearly identifying to whom a risk is associated, as in this variant of part of the above paragraph: > DigiCert's customers are saying that they are judging the risk *to them* > from revocation is greather than the risk *to them* from leaving them > unrevoked I'm sure you're familiar with all this, Peter. I just thought it was worth highlighting for a wider audience, that one entity's assessment of risk to them doesn't make it a physical constant that applies equally to everyone. I find it very helpful when assessing such things to attach explicit markers, somewhat like ensuring I specify both magnitude *and* direction on my vectors. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy