No one wants to paint a target on their back. If I announce we're 100% compliant with everything, that's asking to be shot in the face. You're welcome to look at ours. I think we fully comply with 7.1 (I've double checked everything) and would love to find out if we're not. I like the feedback and research so feel free to peel away at the DigiCert parfait.
-----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Ryan Sleevi via dev-security-policy Sent: Wednesday, March 13, 2019 8:03 PM To: Peter Gutmann <[email protected]> Cc: [email protected]; Richard Moore <[email protected]> Subject: Re: Pre-Incident Report - GoDaddy Serial Number Entropy On Wed, Mar 13, 2019 at 6:09 PM Peter Gutmann via dev-security-policy < [email protected]> wrote: > Richard Moore via dev-security-policy < > [email protected]> writes: > > >If any other CA wants to check theirs before someone else does, then > >now > is > >surely the time to speak up. > > I'd already asked previously whether any CA wanted to indicate > publicly that they were compliant with BR 7.1, which zero CAs > responded to (I counted them twice). This means either there are very > few CAs bothering with > dev-security- > policy, or they're all hunkering down and hoping it'll blow over, > which given that they're going to be forced to potentially carry out > mass revocations would be the game-theoretically sensible approach to > take: To be fair, this is not an either/or proposition. The third option is that they could be ignoring you specifically, which may not be an unreasonable position, game-theoretically speaking of course. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
