In my opinion, Mozilla is too soft on violators... (sorry)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Thanks, Clemens. I'll take a look.
Also, apparently my redlining was lost when my message was saved to the
newsgroup.
I'll see if I can re-post without the text formatting of strikeouts and
underlines.
On Tue, Jan 26, 2021 at 10:24 AM Clemens Wanko via dev-security-policy <
On Tue, Jan 26, 2021, at 00:21, Ben Wilson via dev-security-policy wrote:
>
> - Do the proposed actions in the Remediation Plan address the underlying
> issues?
>
> - If Camerfirma fully executes on this plan, will that be sufficient to
> regain trust so that they can remain a CA in Mozilla's
On Tue, 26 Jan 2021 at 06:21, Ben Wilson via dev-security-policy
wrote:
>
> - Do the proposed actions in the Remediation Plan address the underlying
> issues?
One of the underlying issues is that Camerfirma has multiple SubCAs
with each their own control over ICA keys, CPS, certificate profiles,
El lunes, 25 de enero de 2021 a las 13:31:18 UTC+1, Matthias van de Meent
escribió:
> On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
> wrote:
> >
> > Thanks everyone for your valuable contribution to the discussion. We’ve
> > prepared a throughful Remediation Plan that
Hi Ben,
looking at what was suggested so far for section 3.2, it seems that the BR
combine and summarize under "qualified" in the BR section 8.2 what you and
Kathleen describe with the definitions for "competent" and "independent"
parties.
Based upon that, MRSP section 3.2 could be structured
Hi Ben,
The CA has been given chance after chance to improve after incident after
incident but failed to do so. The remediation plan is a doorstop plan for
the CA to wedge the door open to remain in the Mozilla root store but it's
time to face the inevitable conclusion and the door must close on
All,
So far there have been several good comments. Please keep them coming.
I want to take this opportunity just to clarify a few of things.
First, it has been Mozilla's long-standing position that, "We believe that
the best approach to safeguarding secure browsing is to work with CAs as
Ben,
Here are my thoughts:
- First off, we have given Camerfirma the benefit of the doubt for too long
and Mozilla can't continue to trust Camerfirma while they remediate these
problems. With all the documented issues and Camerfirma's response, that
would represent an unacceptable ongoing risk
In my personal opinion, given that most of the actions for the remediation plan
are expected to be completed during the first quarter of 2021, if the community
considers that the plan adequately prevents further issues, it would be
reasonable to establish a deadline to take such a decision
If you haven't heard already there is a LPE vulnerability in sudo and must
be patched immediately. Details here:
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Thank you
Burton
On Mon, 25 Jan 2021 22:21:31 -0700
Ben Wilson via dev-security-policy
wrote:
> Camerfirma has responded to the list of issues by providing a Remediation
> Plan,
> https://drive.google.com/file/d/1DV7cUSWqdOEh3WwKsM5k1U5G4rT9IXog/view?usp=sharing,
> with a commitment to align Camerfirma to the
12 matches
Mail list logo