On 09/01/2016 04:20 AM, Matt Palmer wrote:
That sounds an awful lot like "we can't fix our own systems", which is
a... terrifying thought.
Not so, rather according to my assessment, the cost and everything it
entailed (including other risks) to fix that particular issue outweighed
the benefits for having it fixed within a time-frame shorter than that.
"Some time" being about a year longer than you stated it would take in
the bug. That's quite some time.
If hardware changes and other infrastructural changes are involved than
this time-frame can reasonable perhaps. CA infrastructures are usually
not fast-moving ones according to my experience. This wasn't about
changing a line or two in some software component.
You were knowingly violating a MUST provision of RFC5280.
From experience there have been many RFC violations, sometimes even
knowingly and intentionally by software vendors (browsers), certificate
authorities and even policy writers such as CAB Forum.
Mozilla, Microsoft, Google and others are sometimes violating or not
conforming to RFCs for this reason or the other. The implication and
severity of such a violation matters probably.
The audit letter included an attestation from Management that, during the
time of the audit, management believed that the CA complied with the
Baseline Requirements.
True, we could demonstrate steps performed, plans produced,
implementations performed etc. on this particular issue.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
