On Fri, Aug 18, 2017 at 04:04:48PM +0000, Stephen Davidson via dev-security-policy wrote: > Siemens has previously indicated that the affected certificates are > installed on high profile websites and infrastructure for Siemen’s group > companies around the world, and that a rushed revocation would create more > damage than could be expected from the serial number noncompliance.
Have they considered that the potential outcome of a failure to demonstrate an ability and willingness to abide by the BRs and Mozilla policy could include having their intermediate CA certificate distrusted? Would that create more damage than a "rushed revocation"? That revocation would need to be "rushed" at all speaks volumes to Siemens' unfamiliarity with the requirements under which they operate, or else their unwillingness to abide by those requirements. Revoking certificates within 24 hours of notification of misissuance is a requirement, and they should know that, have planned for it, and have their systems and processes designed in such a way as to be able to adhere to it. If that were the case, it would not be a "rushed" revocation and reissuance, but just business as usual. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy