On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley <[email protected]> wrote:
> Much better to treat this question as “We know X is going to happen. > What’s the best way to mitigate the concerns of the community?” Exception > was the wrong word in my original post. I should have used “What would you > like us to do to mitigate when we miss the Jan 15ht deadline?” instead. > Apologies for the confusion there. > As I tried to highlight several times during early discussions, it's not really ideal to have each of these trickle in over time. DigiCert has apparently decided that for 14-15 customers it has sufficient information to know that X is going to happen, based on their risk analysis. Why are we seeing bugs trickle in, such as https://bugzilla.mozilla.org/show_bug.cgi?id=1516545 ? It would seem uncontroversial to suggest that, as part of the risk analysis that DigiCert is claiming has already been done, that it has all the information for an incident report for all of the customers it expects to not revoke certificates for. If it doesn't, then it suggests that the risk analysis is not being done responsibly, and being outsourced to the community to perform. Should we expect another 12 bugs to be filed? If so, when? If not, why? As mentioned, if treating this as part of a "Responding to underscores" incident, then this has the effect of being a slow trickle of an incomplete incident report overall, and incomplete remediation plan, and those tend not to bode well. I don't think it'd really be engaging with mitigating to, say, file a bug on Jan 14th - so how do we move the discussion forward and make sure the facts are available? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
