This thread is full of strong policy reasons why DarkMatter’s intermediates should no longer be trusted. Those reasons alone would be enough for expeditious action. The risks to users discovered from recent reporting reinforces them.
I hope we don’t see too long of a delay before the root stores commit to removing DarkMatter’s intermediates and rejecting any root applications. The delays around Symantec’s removal, I believe, taught us that lingering makes migrations harder, not easier, and put more people at risk. This is especially true when dealing with an organization that is unable to respond productively to easily verifiable errors. If an organization was sending threats (especially bogus ones) in response to public discussion, that would make expeditious action more necessary, not less. Delay tactics like bogus threats are a signal that trust is untenable. I look forward to hearing what the root store maintainers will be doing! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
