On Mon, May 27, 2019 at 06:06:42AM +0300, Ryan Sleevi wrote: > On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > That sounds an *awful* lot like Heartbleed: "a [...] proven method that > > exposes the Subscriber's Private Key to compromise". > > > > Several questions arise from this, which I'd like to get the opinion of the > > members of this illustrious debating society: > > Have you read through the archives? This was already discussed and decided > as part of handling Heartbleed. This was debated at length, in particular > as at least one (but possibly more) CAs charged for revocation, which > created challenges and potential conflicts with the contemporaneous BRs and > Policy.
Are you referring to the m.d.s.p archives, or somewhere else? (Perhaps public@cabforum?) I have, in fact, gone through the m.d.s.p archives, and I can't see anything that addresses what I'm asking. I can't even find a "lengthy" thread in https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/heartbleed%7Csort:date from around the time of Heartbleed that actually discusses revocation policy in any detail, just a couple of big ones that mention it in passing (like "DRAFT: May CA Communication"). The thread that seems to come closest to touching on the issues is from 2017, and doesn't start off discussing Heartbleed, but rather just a mass of compromised keys: https://groups.google.com/d/msg/mozilla.dev.security.policy/71AXGTgcX9c/skHsKFdDBAAJ I assume that isn't the discussion you were referring to, because it is so far removed, temporally, from "handling Heartbleed". I would appreciate it if you could point me specifically to the relevant past discussions, so I can inform myself of the past decision. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
