On Saturday, July 4, 2020 at 3:01:34 PM UTC-4, Peter Bowen wrote: > On Sat, Jul 4, 2020 at 11:06 AM Ryan Sleevi via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote:
> One of the challenges is that not everyone in the WebPKI ecosystem has > aligned around the same view of incidents as learning opportunities. > This makes it very challenging for CAs to find a path that suits all > participants and frequently results in hesitancy to use the blameless > post-mortem version of incidents. > Why aren't we hearing more from the 14 CAs that this affects. Correct me if I am wrong, but the CA/B form has something like 23 members?? An issue that affects 14 CAs indicates a problem with the way the forum collaborates (or should I say 'fails to work together') Maybe this incident should have followed a responsible disclosure process and not been fully disclosed right before holidays in several nations. > To clarify what Ryan is saying here: he is pointing out that he is not > representing the position of Google or Alphabet, rather he is stating > he is acting as an independent party. > As you can see from earlier messages, Mozilla has clearly stated that > they are NOT requiring revocation in 7 days in this case, as they > judge the risk from revocation greater than the risks from not > revoking on that same timeframe. Ben Wilson, who does represent > Mozilla, stated: > If Google were to officially state something similar to Mozilla, then > this thread would likely resolve itself quickly. Yes, there are other > trust stores to deal with, but they have historically not engaged in > this Mozilla forum, so discussion here is not helpful for them. Thank you for explaining that. We need to hear the official position from Google. Ryan Hurst are you out there? > For the future, HL7 probably would be well served by working to create > a separate PKI that meets their needs. This would enable a different > risk calculation to be used - one that is specific to the HL7 health > data interoperability world. I don't know if you or your organization > has influence in HL7, but it is something worth pushing if you can. This has been discussed in the past and abandoned, but this incident will probably restart that discussion. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
