Pedro: I said I understood you, and I thought we were discussing in the abstract.
I encourage you to reread this thread to understand why such a response varies on a case by case basis. I can understand your *attempt* to balance things, but I don’t think it would be at all appropriate to treat your email as your incident response. You still need to holistically address the concerns I raised. As I mentioned in the bug: either this is a safe space to discuss possible options, which will vary on a CA-by-CA basis based on a holistic set of mitigations, or this was having to repeatedly explain to a CA why they were failing to recognize a security issue. I want to believe it’s the former, and I would encourage you, that before you decide to delay revocation, you think very carefully. Have you met the Mozilla policy obligations on a delay to revocation? Perhaps it’s worth re-reading those expectations, before you make a decision that will also fail to uphold community expectations. On Sat, Jul 4, 2020 at 10:22 AM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks, Ryan. > I’m happy we are now in understanding to this respect. > > Then I’d change the literally ongoing plan. We should have the new CAs > hopefully today. Then I would do maybe also today the reissuance of the bad > ones and I’ll revoke the offending certificates during the period. > > Best. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy