Eddy Nigg (StartCom Ltd.) wrote: > [Off-topic] For one I must notice the incredible inconvenience in > working with Bugzilla and this mailing list. It happens many times that > the same issue is discussed and tracked at different bugs in parallel. > I'm a CC bug 434128 and just got aware of bug 435082. Can you tell me > the best way how to KNOW about such bugs which are related and might > interest me? I can't spend my time searching all day long and on a daily > basis for new bugs. I guess there is a formula or something...?
The situation is unusual. Related bugs should be connected with a dependency relationship, or duped against each other. I'm not sure why that hasn't happened in this situation. Bugzilla is not a discussion forum, hence the move here. > dedicated IP address etc). Therefore we have about another one third > which might be still using a weak key. This boils down for very few > still affected sites, probably less then 1.66 %. But 1.66% of 800,000 is still a lot of sites. > Since all certificates issued at StartCom are valid for one year only, > the risk assessment didn't warrant for a full scan of all public keys > considering the effort which must put into such an effort. I expect the > situation to be similar at most CAs. See also inline comments. Because attackers won't bother to exploit the problem until the year has passed? Also, won't people just get the same key signed again for another year? Or is that not possible? >> If we can get a fairly complete list of vulnerable sites > > How do you intend to find them? Crawling the web. >> We could use our contacts with CAs to try and convince them to change >> their position on customer contact. >> >> - Publish a "CA hall of shame" >> > And what if a CA refuses to comment or provide this information? We generate the list from the results of our crawl. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
