On Wed, May 13, 2020 at 12:12 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Ryan Sleevi <r...@sleevi.com> writes: > > >>Following up on this, would it be correct to assume that, since no-one > has > >>pointed out any impact that this had on anything, that it's more a > >>certificational issue than anything with real-world consequences? > > > >That seems quite a suppositional leap, don't you think? > > It's been more than two weeks since the issue was first reported, if > no-one's > been able to identify any actual impact in that time - compare this to say > certificate-induced outages which make the front page of half the tech news > sites on the planet when they occur - then it seems reasonable to assume > that > the impact is minimal if not nonexistent. > > In any case I was inviting people to provide information on whether there's > been any adverse effect in order to try and gauge the magnitude, or lack > thereof, of this event. I would hardly say it’s reasonable to conclude whatever you want simply because no one has personally engaged with you for two days, and worse, that others support that view. I appreciate it as a rhetorical technique to try and force a reply, which it obviously did, but only to point out how deeply flawed the argument is, at least in a venue where replying to you is optional. A better approach would be to examine what and how clients would have been affected, and then how to quantify and measure that, as well as what the impact of that affect would be. Posing that you didn’t see a news story and you didn’t get any replies to your email on a relatively obscure newsgroup that it is proof there was no impact or harm ... isn’t that 😅 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
