On Sun, Apr 19, 2020 at 6:13 AM Nick Lamb <n...@tlrmx.org> wrote: > It's possible that I'm confused somehow, but for me §9.16.3 of the BRs > does not have numbered item 5, and neither this nor §9.6.1 define > "contractual jeopardy" nor do they clear up why a subscriber would want > to shut down their service and perhaps be driven into bankruptcy in > deference to a mere technical error.
9.6.3. Is your position now that your earlier advice was quite wrong and > should be disregarded? That’s an extreme take from what I wrote, and an extremely bad one at that. You asked for more details, I pointed you to the BRs which provide you more details. The answer the “what” that you wanted more details on. CAs are required to have legally enforceable agreements with Subscribers that, in some circumstances, the Subscriber must immediately cease use of the private key. You can see me referencing that as an abuse vector in the parallel thread on revocation reasons. In any event, this incident report has been so throughly hijacked as to be unsalvagable as a thread for the purpose of gathering more data. This is because it was unfortunately taken as a pedagogical opportunity, and the advice wasn’t necessarily relevant to the incident at hand (e.g. GTS does not OCSP staple nor offer Subscribers the means to), nor good at capturing the tradeoffs (there’s a reason stapling isn’t done). Luckily, the bug exists to continue discussion there. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy