On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote: > Finally, I’d like to ask you, based on which article of Mozilla Root Store > Policy, you are sentencing a removal from the Mozilla store.
Oh, I know this one: It is in the Mozilla Root Store Policy, 7.3: "Mozilla MAY, at its sole discretion, decide to disable (partially or fully) or remove a certificate at any time and for any reason." (You might really want to start to read the Mozilla Root Store Policy and BR before posting here or in incident reports.) But please note that Matt is not sentencing anyone but merely providing arguments for the module peers/owner, who, by Mozilla's decision-making process, will call the shots in the end (by their sole discretion possibly based or not based on arguments in this thread). Also, your whataboutisms might not serve you well. If you think that other CAs have handled incidents inadequately, your questions in the respective incident report bugs would surely have been much appreciated. On the subject, since the start of this thread, things have actually got worse. Camerfirma evidently got under pressure, which, for a functioning CA, would result in better incident handling and an opportunity to show their solid foundation as a CA. Instead, Camerfirma, besides engaging in absurd argumentation in this thread, has started to request bugs clearly not fully remediated be closed (<https://bugzilla.mozilla.org/show_bug.cgi?id=1668331#c17>, <https://bugzilla.mozilla.org/show_bug.cgi?id=1667430#c35>). Recently, we have also learned that Camerfirma does not even have an understanding (or process) about the BR's revocation timelines (<https://bugzilla.mozilla.org/show_bug.cgi?id=1686966>). There cannot be such a thing as a "last chance" ("Let's see how things work out"/"Camerfirma gets removed with the next incident") as this would put even more pressure on Camerfirma. It would also come with a massive incentive for Camerfirma to not report any more incidents. For Mozilla and their users, this would come with the risk of unreported incidents but also the need for an emergency release of Firefox and other relying software in case Camerfirma has to be removed in an unorderly way. Thus, orderly (pre-announced) distrust in one of the next Firefox release is the only way forward. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
