On Friday, July 3, 2020 at 5:30:47 PM UTC-4, Ryan Sleevi wrote: > On Fri, Jul 3, 2020 at 4:19 PM Peter Bowen wrote: >
I feel compelled to respond here for the first time even though I have never participated in CA/B forum proceeding and have never read through a single one of the 55 BRs that have been published over the last 8 years. I was informed yesterday that I would have to replace just over 300 certificates in 5 days because my CA is required by rules from the CA/B forum to revoke its subCA certificate. This is insane! Those 300 certificates are used to secure healthcare information systems at a time when the global healthcare system is strained by a global pandemic. I have to coordinate with more than 30 people to make this happen. This includes three subsidiaries and three contract partner organizations as well as dozens of managers and systems engineers. One of my contract partners follows the guidance of an HL7 specification that requires them to do certificate pinning. When we replace these certificates we must give them 30 days lead time to make the change. After wading through this very long chain of messages I see little discussion of the impact this will have on end users. Ryan Sleevi, in the name of Google, is purporting to speak for the end users, but it is obvious that Ryan does not understand the implication of applying these rules. Peter Bowen says > ... simply revoking doesn't solve the issue; arguably it makes it > worse than doing nothing. You are absolutely right, Peter. Doctors will not be able to communicate with each other effectively and people could die if the CA/B forum continues to blindly follow its rules without consideration for the greater impact this will have on the security of the internet. In the CIA triad Availability is as important as Confidentiality. Has anyone done a threat model and a serious risk analysis to determine what a reasonable risk mitigation strategy is? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy