On Fri, Jan 19, 2018 at 1:44 PM, Matthew Hardeman <[email protected]> wrote:
> Ultimately, if it should arise that other CAs who rely on mechanisms > implementing or claiming to implement method #10 have similar risk and > vulnerabilities, those CAs should be called to task for not having timely > disclosed and remediated. Further, perhaps those CAs should suffer the > burden of mandatory revalidation under a different mechanism, as the > vulnerability category has now been acknowledged in the community for some > time and the recent press has been significant. > > In contrast, I think any remediation plan should reward Let's Encrypt and > GlobalSign for their diligence and compliance to best practice. > I disagree with this notion of 'rewarding' some CAs by letting the first to disclose be allowed to continue to use methods that put users at risk. Global user trust is not a 'reward', and removing that trust is not a 'punishment' - it is a calculation of risks based on available and mitigating factors. Framing it as 'reward' or 'punishment' unduly manipulates the discussion, because it suggests the notion of favorability / unfavorability, when the reality is that it's an objective evaluation across a multitude of dimensions. Should those who have not come forward be called to task? Yes. Because they're ignoring industry best practice and they should revoke all of their certs due to the 'unacceptable risk' clause. That's not a punishment. That's mitigation based on the available information (i.e. none, for those that didn't self-disclose) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
