On Sat, Nov 14, 2020 at 4:42 PM Nick Lamb <n...@tlrmx.org> wrote: > To the extent your preferred policy is actually even about issue #205 > (see later) it's not really addressing the actual problem we have, > whereas the original proposed language does that. >
I don't entirely appreciate being told that I don't know what I'm talking about, which is how this reply comes across, but as I've stated several times, the _original_ language is sufficient here, it's the modified language that's problematic. > > Yes, you're absolutely correct that I want to make sure a CA says "any > > method at our discretion", but it's not about humiliation, nor is it > > redundant. It serves a valuable purpose for reducing the risk of > > arbitrary, undesirable rejections, while effectively improving > > transparency and auditability. > > This boilerplate does not actually achieve any of those things, and > you've offered no evidence that it could do so. Perhaps you and I see evidence as different things. Could you help share your knowledge of the audit reports and the auditing profession, to help explain what evidence would be helpful here. I think this reply is trying to capture that either you don't understand how it's relevant, or you disagree, but I think it's more useful if you explain why or how you believe it doesn't achieve these things. I've tried to do you the same courtesy, by demonstrating how it does, but I can't tell by such a dismissive reply if you're disagreeing (and if so, why), or if you simply don't understand and would like to learn more. > If anything it encourages CAs *not* to actually offer what we wanted: a > clearly > documented but secure way to submit acceptable proof of key compromise. > Again, this isn't the case, and I very much demonstrated why it wasn't in my previous message with respect to CP/CPS reviews. You have to do more than just saying "No", otherwise that just comes across as petulance. > Why not? It will be easier to write only "Any method at our discretion" > to fulfil this requirement and nothing more, boilerplate which > apparently makes you happy but doesn't help the ecosystem. > The problem with this statement is that it directly contradicts what I wrote in the message you're replying to. You're making a strawman here, and I already demonstrated to you precisely why, and how, it allows us to go from nothing to X, Y, Z and then further on to A, B. You're description of what "makes me happy" is literally the opposite of what I said, which is why I'm concerned that you may not understand my previous message, or how this works. I'm happy to help clarify further, but I think you need to elaborate more here so we can clear up the confusion. I'm sure it's equally unfulfilling to hear me keep telling you you're wrong, so if you're finding you're unsure of what I meant, I'm happy to answer questions, rather than have to respond to incorrect statements. Again, so that it's (hopefully) clear for you, my expression is to support the original language, and that the modified language introduces weaknesses that the original language doesn't. > > But equally, I made the mistake for referring to PACER/RECAP without > > clarifying more. My reply was to address that yes, there is the > > existence of "potentially illegitimate revocations", but that it's > > not tied to "secret" documents (which you misunderstood). And my > > mistake in not clarifying was that the cases weren't addressed to the > > CA, but related to a CA subscriber. You can read more about this at > > > https://www.techdirt.com/articles/20180506/13013839781/more-copyright-holders-move-up-stack-more-they-put-everyone-risk.shtml > > > Here, this is about revocations that harm security, more than help, > > and you can read from that post more about why that's undesirable at > > > https://medium.com/@mattholt/will-certificate-authorities-become-targets-for-dmca-takedowns-7d111275897a > > We're in the discussion about issue #205 which is about proving _key > compromise_ *sigh* So you've move the goal post in your reply, and when I make a good faith engagement, you try to chide me about moving goalposts. You introduced the notion of "potentially illegitimate revocations" as a misunderstanding of what I said. In my reply, I clarified to you that they are a thing, which you were dismissive of, and also clarified that you were misunderstanding my point. You were further confused by the reply, and how you want to chide me for clarifying for you why what you said was wrong. Yes, you're absolutely correct that you introduced something offtopic, and by replying to you, I let the conversation continue to be offtopic. So, perhaps now that we've had this conversation, and you've learned about potentially illegitimate revocations are a thing, but that they were not the thing I was worrying about and that you'd misunderstood, perhaps we can move back to the substantive discussion? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
