On Saturday, February 29, 2020 at 4:10:40 AM UTC-8, Nick Lamb wrote: > Hi Jacob, was there a reason not to use the ordinary incident reporting > format ? This is pretty good for ensuring you cover all the questions > we're otherwise likely to ask anyway.
Thanks for the reminder. My goal here was to post a preliminary notification promptly, and follow up with more detail. I'm definitely open to hearing from the community, and from Mozilla, if people prefer to have the preliminary notification filed in the incident reporting format, even if many fields will have to be left blank. > If it's not very difficult it would also be useful to have some idea > how many certificates might be affected. That is, how many certificates > were really issued to multiple FQDNs (if a single FQDN the bug described > has no effect) more than 8 hours after initial correct CAA checks ? > Intuitively this should be almost none, but intuitions can be > misleading. We're working on this analysis today. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
