On Sat, Oct 29, 2016 at 10:17:59PM -0700, Percy wrote: > On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of > > > the > > > entire company into question. And such trust, in my view, should be > > > evaluated when WoSign/StartCom submit their re-inclusion requests in the > > > future. > > > > You can make that argument when WoSign/StartCom's reinclusion discussions > > take place on this list. Now is not the appropriate time for that. > > WoSign/StartCom's re-inclusion request might be a year from now. In the > meanwhile, those 400 million users will be exposed to MITM. That's why > I'm bringing it up now, rather than one year later.
And you've already been told that there is nothing that the Mozilla community can do, at this time, to influence Qihoo 360 into tightening their certificate validation code, so there's no reason to keep on about it on this list, at this time. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy