Ryan, I'm moving our particular discussions to Bugzilla. I just want to clarify, again, that I'm not proposing to delay the revocation of the offending CA certificate, what I'm proposing is to give more time to the key destruction. Our position right now, is that the certificate would be revoked in any case during the 7 day period.
Thanks, Pedro El sábado, 4 de julio de 2020, 17:10:51 (UTC+2), Ryan Sleevi escribió: > Pedro: I said I understood you, and I thought we were discussing in the > abstract. > > I encourage you to reread this thread to understand why such a response > varies on a case by case basis. I can understand your *attempt* to balance > things, but I don’t think it would be at all appropriate to treat your > email as your incident response. > > You still need to holistically address the concerns I raised. As I > mentioned in the bug: either this is a safe space to discuss possible > options, which will vary on a CA-by-CA basis based on a holistic set of > mitigations, or this was having to repeatedly explain to a CA why they were > failing to recognize a security issue. > > I want to believe it’s the former, and I would encourage you, that before > you decide to delay revocation, you think very carefully. Have you met the > Mozilla policy obligations on a delay to revocation? Perhaps it’s worth > re-reading those expectations, before you make a decision that will also > fail to uphold community expectations. > > > On Sat, Jul 4, 2020 at 10:22 AM Pedro Fuentes via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Thanks, Ryan. > > I’m happy we are now in understanding to this respect. > > > > Then I’d change the literally ongoing plan. We should have the new CAs > > hopefully today. Then I would do maybe also today the reissuance of the bad > > ones and I’ll revoke the offending certificates during the period. > > > > Best. > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
