On Wed, Jan 2, 2019 at 1:32 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > 2. Change our policy to state that any undisclosed intermediate we > discover > > will be immediately and permanently added to OneCRL. > > This needs adding some logical criteria, notably: > It's not clear what you feel drives these requirements. A few selected comments below. > - Send a stern warning e-mail to the CA contact when 2/3 of the time > between SubCA generation and deadline expiry has passed. > Could you explain why you see this being required? > - In OneCRL, add a separate OneCRL reason marker for SubCAs revoked in > for this reason only. This to allow extremely space or bandwidth > constrained OneCRL consumers to omit those, as well as to provide > truthful error messages in full clients such as Firefox. > This one is more interesting. There is only one OneCRL consumer, and the question of product UI or behaviour is not really part of this Forum (note: policy). It seems like this is working backward from a requirement - you think there should be a different error message - and then trying to imply how to meet that, without really clearly stating that. Could you instead elaborate on what you see the desired end-states are, rather than enumerating the proposed intermediate steps? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy