El martes, 19 de enero de 2021 a las 14:32:19 UTC+1, paul.leo....@gmail.com escribió: > On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote: > > > Finally, I’d like to ask you, based on which article of Mozilla Root Store > > Policy, you are sentencing a removal from the Mozilla store. > Oh, I know this one: It is in the Mozilla Root Store Policy, 7.3: "Mozilla > MAY, at its sole discretion, decide to disable (partially or fully) or remove > a certificate at any time and for any reason." (You might really want to > start to read the Mozilla Root Store Policy and BR before posting here or in > incident reports.) > > But please note that Matt is not sentencing anyone but merely providing > arguments for the module peers/owner, who, by Mozilla's decision-making > process, will call the shots in the end (by their sole discretion possibly > based or not based on arguments in this thread). > > Also, your whataboutisms might not serve you well. If you think that other > CAs have handled incidents inadequately, your questions in the respective > incident report bugs would surely have been much appreciated. > > On the subject, since the start of this thread, things have actually got > worse. Camerfirma evidently got under pressure, which, for a functioning CA, > would result in better incident handling and an opportunity to show their > solid foundation as a CA. Instead, Camerfirma, besides engaging in absurd > argumentation in this thread, has started to request bugs clearly not fully > remediated be closed > (<https://bugzilla.mozilla.org/show_bug.cgi?id=1668331#c17>, > <https://bugzilla.mozilla.org/show_bug.cgi?id=1667430#c35>). Recently, we > have also learned that Camerfirma does not even have an understanding (or > process) about the BR's revocation timelines > (<https://bugzilla.mozilla.org/show_bug.cgi?id=1686966>). > > There cannot be such a thing as a "last chance" ("Let's see how things work > out"/"Camerfirma gets removed with the next incident") as this would put even > more pressure on Camerfirma. It would also come with a massive incentive for > Camerfirma to not report any more incidents. For Mozilla and their users, > this would come with the risk of unreported incidents but also the need for > an emergency release of Firefox and other relying software in case Camerfirma > has to be removed in an unorderly way. Thus, orderly (pre-announced) distrust > in one of the next Firefox release is the only way forward.
Paul, Thanks for your contribution. Yes, we know art. 7.3 of the Mozilla Root Store Policy and we are aware that Mozilla may remove a certificate at any time and for any reason. Of course in the event such decision be taken, we would respect it but, for sake of a proper governance of our community the reasons for such a traumatic decision should be clearly communicate to all community members. And the reason should be as objective as possible, bearing in mind – again - that Camerfirma is not the member with the highest number of incidents nor the member with the most severe ones. >Camerfirma, besides engaging in absurd argumentation in this thread, has >started to request bugs clearly not fully remediated be closed >(<https://bugzilla.mozilla.org/show_bug.cgi?id=1668331#c17>, ><https://bugzilla.mozilla.org/show_bug.cgi?id=1667430#c35>). Paul it was a mistake when we try to close all those open bugs when the answers from our side ware already sent. This wasn't the case in this bug, in fact we keep on adding new information to it. > Recently, we have also learned that Camerfirma does not even have an > understanding (or process) about the BR's revocation timelines > (<https://bugzilla.mozilla.org/show_bug.cgi?id=1686966>). We have already published an answers in this bug and expaling the timeling considered. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
