On Wednesday, March 13, 2019 at 9:09:35 PM UTC-4, Peter Gutmann wrote: > Richard Moore via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >If any other CA wants to check theirs before someone else does, then now is > >surely the time to speak up. > > I'd already asked previously whether any CA wanted to indicate publicly that > they were compliant with BR 7.1, which zero CAs responded to (I counted them > twice). This means either there are very few CAs bothering with dev-security- > policy, or they're all hunkering down and hoping it'll blow over, which given > that they're going to be forced to potentially carry out mass revocations > would be the game-theoretically sensible approach to take: > > Option 1: Keep quiet case 1 (very likely): -> No-one notices, nothing happens. > Keep quite case 2 (less likely): -> Someone notices, revocation > issues. > Option 2: Say something -> Revocation issues. > > So keeping your head down would be the sensible/best policy. > > Peter.
IdenTrust confirms compliance: We do not run EJBCA, and our certificate serial number entropy is greater than what is required from BR 7.1. Marco S. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy