Dear Mark! > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Ryan Sleevi via dev-security-policy > Sent: Samstag, 4. Juli 2020 20:06 > > On Sat, Jul 4, 2020 at 12:52 PM mark.arnott1--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > This is insane! > > Those 300 certificates are used to secure healthcare information > > systems at a time when the global healthcare system is strained by a > > global pandemic.
Thank you for bringing in your perspective as a certificate consumer. We at Siemens - as a certificate consumer - also have ~ 700 k affected personal S/MIME certificates out in the field, all of them stored on smart cards (+ code signing and TLS certificates ...). You can imagine, that rekeying them on short notice would be a total nightmare. > To be clear; "the issue" we're talking about is only truly 'solved' by the > rotation and key destruction. Anything else, besides that, is just > a risk calculation, and the CA is responsible for balancing that. Peter's > highlighting how the fix for the *compliance* issued doesn't fix > the *security* issue, as other CAs, like DigiCert, have also noted. Currently, I'm not convinced, that the underlying security issue (whose implication I of course fully understand and don't want to downplay) can only be fixed by revoking the issuing CAs and destructing the old keys. Sadly, all the brilliant minds on this mailing list are discussing compliance issues and the interpretation of RFCs, BRGs and 15-year-old Microsoft announcements, but it seems nobody is trying to find (or at least publicly discuss) a solution that can solve the security issue, is BRG / RFC compliant and doesn't require the replacement of millions of certificates - especially since many of those millions of certificates are not even TLS certificates and their consumers never expected the hard revocation deadlines of the BRGs to be of any relevance for them. And therefore they didn't design their infrastructure to be able to do an automated mass-certificate exchange. With best regards, Rufus Buschart Siemens AG Siemens Operations Information Technology Value Center Core Services SOP IT IN COR Freyeslebenstr. 1 91058 Erlangen, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy