On Wed, Mar 11, 2020 at 1:46 PM Chris Kemmerer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> You are correct, each compliance violation is considered an incident. > However in our opinion we have not violated our CP/CPS or the current > Baseline Requirements. Although this is a complex issue with no definite > consensus on which authoritative list to use (only suggestions), we do have > a weak keys detection mechanism in place, it does detect Debian weak keys > (although it's not perfect) and it also detects ROCA vulnerable keys. I've commented on the bug as much, but I find this response deeply disappointing and disconcerting. This CA ignored a widely known, explicitly circulated list of known-compromised keys, and is now doubling down that there's nothing wrong with this. The justification is "This key was not known to be compromised /by us/", with their rationale of "The BRs explicitly tell us where we could find a list of known weak/compromised keys, but doesn't say we have to look at it, and so our elective ignorance is a virtue, not a vice". Whatever your view of the correctness [1] of this argument, as a systemic response from a CA, the entrenchedness here suggests that unless the CA can be hand-held into being trustworthy, they will do the minimum possible thing. I appreciate the suggestions for improvement, and that's at least slightly positive, but if the answer is "You have to tell us to read that page or we won't, even if you tell us /about/ that page", then... meh, that's not a CA that inspires confidence. [1] https://www.youtube.com/watch?v=hou0lU8WMgo _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
