On Fri, Dec 28, 2018 at 12:12:03AM +0000, Jeremy Rowley via dev-security-policy wrote: > This is very helpful. If I had those two options, we'd just revoke all the > certs, screw outages. Unfortunately, the options are much broader than that. > If I could know what the risk v. benefit is, then you can make a better > decision? DigiCert distrusted - all revoked. DigiCert gets some mar on its > audit - outages seem worse. Make sense?
Given that Mozilla wants CAs to abide by its policies, which include adherence to the BRs, and you appear to be saying that you'll adhere to the BRs if you're threatened with distrust... I'd say the logical response from Mozilla would be to threaten distrust. I doubt, especially now, that you'll get a categorical advance "it's OK to not revoke" from Mozilla. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
