Hanno Böck <ha...@hboeck.de> writes: >The impact it had was a monitoring system that checked whether the >certificate of a host was okay, using gnutls-cli with ocsp enabled (which >also uncovered a somewhat unexpected inconsistency in how the gnutls cli tool >behaves[1]).
Sure, but if the only impact was on a specially-configured setup (gnutls-cli with OCSP explicitly enabled rather than a standard web browser) then it didn't have any real impact on actual users. It's a bit like the joke about someone complaining about his neighbour sunbathing in the nude, which they're forced to see every time they climb up a tall ladder and look over at their property with binoculars (can't remember the exact form, but something like that). If the only thing that we have any evidence was affected was a monitoring system specially set up to be affected then it seems pretty likely that the actual impact of the outage on general users was zero. Which makes it a certificational weakness, not a practical one, and therefore much less of an issue. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
