On Mon, Jul 6, 2020 at 3:38 AM Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
> On 6/7/2020 9:47 π.μ., Ryan Sleevi wrote: > > I can understand wanting to wait to see what others do first, but that’s > not leadership. > > > This is a security community, and it is expected to see and learn from > others, which is equally good of proposing new things. I'm not sure what > you mean by "leadership". Leadership for who? > Leadership as a CA affected by this, taking steps to follow through on their commitments and operate beyond reproach, suspicion, or doubt. As a CA, the business is built on trust, and that is the most essential asset. Trust takes years to build and seconds to lose. Incidents, beyond being an opportunity to share lessons learned and mitigations applied, provide an opportunity for a CA to earn trust (by taking steps that are disadvantageous for their short-term interests but which prioritize being irreproachable) or lose trust (by taking steps that appear to minimize or dismiss concerns or fail to take appropriate action). Tim’s remarks on behalf of DigiCert, if followed through on, stand in stark contrast to remarks by others. And that’s encouraging, in that it seems that past incidents at DigiCert have given rise to a stronger focus on security and compliance than May have existed there in the past, and which there were concerns about with the Symantec PKI acquisition/integration. Ostensibly, that is an example of leadership: making difficult choices to prioritize relying parties over subscribers, and to focus on removing any/all doubt. You mean when I dismissed this line of argument? :) > > > Yep. You have dismissed it but others may have not. If no other voices are > raised, then your argument prevails :) > I mean, it’s not a popularity contest :) It’s a question of what information is available to the folks ultimately deciding things. If there is information being overlooked, if there are facts worth considering, this is the time to bring it up. Conclusions will ultimately be decided by those trusting these certificates, but that’s why it’s important to introduce any new information that may have been overlooked. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy