Of all the possible options - G seems to be the most practical. It provides a few key benefits, that I see as making it a clear leader:
1) It can be implemented quickly. It has been discussed that C is rather complex because of the size of the list, with the only truly practical solution being the development of a new method of querying certificates to see if they are in the list. That would take time to design, build, and coordinate with various vendors to implement. Given the severity of the issues, and the lack of transparency, I believe it's clear that a solution to minimize future harm is needed as quickly as possible. 2) As pointed out, the list would naturally shrink over time; as domain names expire, certificates are revoked or expire (without new ones being issued), the list could be updated to make it smaller and smaller over time. So the impact of size will diminish as time goes on. 3) This provides an opportunity for a very clearly defined turndown - establish a date of general distrust when whitelist because active, and date of whitelist expiration. This makes it easy for all to have a general idea of when these restrictions will be enforced, giving vendors and customers clear expectations and time to prepare. 4) This also provides an opportunity for StartCom / WoSign to attempt to clean up their act, and continue servicing existing customers (while minimizing risk by limiting new certificates) during the process. They could re-apply for inclusion, demonstrating they they are now actually in compliance without excessive harm to them or to users. While it would be easiest to simply call for the death penalty and be done, this could serve as a substantial enough wake-up call to get them to correct their issues and operate properly. When faced with the impending doom of the company, they are likely to be willing to consider more options to truly correct issues. Personally, I'm not at all convinced that the current management will be able to correct the issues, but if there's a way forward that can minimize risk and provide them a chance to change sufficiently that it minimizes impact to customers and end-users, that seems like the route to pursue. When trying to strike a balance that preserves trust, and minimizes impact to users, there is no perfect solution, but this option seems to strike a very reasonable balance. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
