On Sunday, 18 June 2017 16:37:13 UTC+1, Eric Mill wrote: > One question though, is whether the key was compromised at the time of > intentionally shipping​ it in a distributed executable. That choice > knowingly exposed the key to arbitrary public users, even if they didn't > expect this to happen from doing so.
Yes, the subscriber intentionally compromised this key when they implemented this decision. This was a foreseeable consequence. If they didn't foresee it, that's not because it wasn't foreseeable but because they're foolish. A reasonable person who understood what was going on here (public key cryptography, the purpose of certificates in the Web PKI) should have understood they were intentionally compromising their key. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
