No one wants to paint a target on their back. If I announce we're 100% compliant with everything, that's asking to be shot in the face. You're welcome to look at ours. I think we fully comply with 7.1 (I've double checked everything) and would love to find out if we're not. I like the feedback and research so feel free to peel away at the DigiCert parfait.
-----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Ryan Sleevi via dev-security-policy Sent: Wednesday, March 13, 2019 8:03 PM To: Peter Gutmann <pgut...@cs.auckland.ac.nz> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Moore <richmoor...@gmail.com> Subject: Re: Pre-Incident Report - GoDaddy Serial Number Entropy On Wed, Mar 13, 2019 at 6:09 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Richard Moore via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > >If any other CA wants to check theirs before someone else does, then > >now > is > >surely the time to speak up. > > I'd already asked previously whether any CA wanted to indicate > publicly that they were compliant with BR 7.1, which zero CAs > responded to (I counted them twice). This means either there are very > few CAs bothering with > dev-security- > policy, or they're all hunkering down and hoping it'll blow over, > which given that they're going to be forced to potentially carry out > mass revocations would be the game-theoretically sensible approach to > take: To be fair, this is not an either/or proposition. The third option is that they could be ignoring you specifically, which may not be an unreasonable position, game-theoretically speaking of course. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy