On Monday, May 27, 2019, Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Mon, May 27, 2019 at 06:06:42AM +0300, Ryan Sleevi wrote: > > On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > That sounds an *awful* lot like Heartbleed: "a [...] proven method that > > > exposes the Subscriber's Private Key to compromise". > > > > > > Several questions arise from this, which I'd like to get the opinion > of the > > > members of this illustrious debating society: > > > > Have you read through the archives? This was already discussed and > decided > > as part of handling Heartbleed. This was debated at length, in particular > > as at least one (but possibly more) CAs charged for revocation, which > > created challenges and potential conflicts with the contemporaneous BRs > and > > Policy. > > Are you referring to the m.d.s.p archives, or somewhere else? (Perhaps > public@cabforum?) I have, in fact, gone through the m.d.s.p archives, and > I > can't see anything that addresses what I'm asking. I can't even find a > "lengthy" thread in > https://groups.google.com/forum/#!searchin/mozilla.dev. > security.policy/heartbleed%7Csort:date > from around the time of Heartbleed that actually discusses revocation > policy > in any detail, just a couple of big ones that mention it in passing (like > "DRAFT: May CA Communication"). > > The thread that seems to come closest to touching on the issues is from > 2017, and doesn't start off discussing Heartbleed, but rather just a mass > of > compromised keys: https://groups.google.com/d/msg/mozilla.dev.security. > policy/71AXGTgcX9c/skHsKFdDBAAJ > I assume that isn't the discussion you were referring to, because it is so > far removed, temporally, from "handling Heartbleed". > > I would appreciate it if you could point me specifically to the relevant > past discussions, so I can inform myself of the past decision. > > - Matt > > The very first result for “revocation Heartbleed” returns https://groups.google.com/d/msg/mozilla.dev.security. policy/ItSu2bebBKk/VrNXwL-MCZgJ , for example, which also links to https://bugzilla.mozilla.org/show_bug.cgi?id=994033 This also came up during the StartCom distrust decision, also linked from that same query: https://groups.google.com/d/msg/mozilla.dev.security.policy/TbDYE69YP8E/ JpdMjH98GQAJ , which included related bugs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy