On Tue, Jun 18, 2024 at 12:49 PM Walt <walterjma...@gmail.com> wrote:
> I'd just like to point out that we now have a situation where Entrust is > in the position of seemingly valuing the opinion of other Root Programs > over Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c42 > > In Comment #37, it was hinted at (and made slightly more explicit in #39) > that the opinion of the Mozilla RP is that the attempt to re-characterize > these certs was not going to be looked kindly upon, and only once a Google > RP member explicitly said that it was the Google RP opinion that the certs > remained mis-issued was any movement made on re-confirming the mis-issuance > and taking action to revoke them. > > Also, if we're in a position where Entrust is finally able to commit to > revoking certs within a 5 day period (setting aside that these certs > technically need a delayed revocation bug as the mis-issuance was known as > far back as 2024-04-10), why are other incidents not able to be resolved in > this amount of time? Is it because Google showed up? > We’ve seen this behaviour in other incidents as well, I believe including the cpsURI one that has turned into a magnet for evidence of poor operation and lack of transparency and responsiveness. I remarked on it in my initial snarky reply to the Entrust Report, in fact. >From a realpolitik perspective their behaviour could indeed be rational, especially when the only tool root programs have is distrust. Firefox would suffer substantial market disadvantage if it stopped trusting Entrust certificates when other browsers didn’t. I think people generally underestimate how much Mozilla would be willing to take near-term pain to protect users, but it’s also possible that I am overestimating it. Related to that, I think Chrome’s root program representatives have generally been more willing to take a concrete position quickly, so Mozilla might be waiting for more explanation when Chrome decides that there’s no explanation that could suffice, or similar. The root programs tend to be in agreement more often than not (virtually always with Chrome and Mozilla, I would say, excepting some slightly different root store populations), so it may be somewhat irrelevant whose opinion spurs motion. Realpolitik analysis aside, I do agree that Entrust has created the impression that they care much more about Chrome’s opinion than Mozilla’s, which IMO might not be the best posture to take given that Mozilla and its community are the locus for the processing and evaluation of the incidents in question. Mike -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqst2vaiaum%2BPomUJq7jRQvSn%3Dxhg9khxYwXyKeY9e8f7w%40mail.gmail.com.
