On Sat, Nov 14, 2020 at 4:42 PM Nick Lamb <n...@tlrmx.org> wrote:

> To the extent your preferred policy is actually even about issue #205
> (see later) it's not really addressing the actual problem we have,
> whereas the original proposed language does that.
>

I don't entirely appreciate being told that I don't know what I'm talking
about, which is how this reply comes across, but as I've stated several
times, the _original_ language is sufficient here, it's the modified
language that's problematic.


> > Yes, you're absolutely correct that I want to make sure a CA says "any
> > method at our discretion", but it's not about humiliation, nor is it
> > redundant. It serves a valuable purpose for reducing the risk of
> > arbitrary, undesirable rejections, while effectively improving
> > transparency and auditability.
>
> This boilerplate does not actually achieve any of those things, and
> you've offered no evidence that it could do so.


Perhaps you and I see evidence as different things. Could you help share
your knowledge of the audit reports and the auditing profession, to help
explain what evidence would be helpful here.

I think this reply is trying to capture that either you don't understand
how it's relevant, or you disagree, but I think it's more useful if you
explain why or how you believe it doesn't achieve these things. I've tried
to do you the same courtesy, by demonstrating how it does, but I can't tell
by such a dismissive reply if you're disagreeing (and if so, why), or if
you simply don't understand and would like to learn more.


> If anything it encourages CAs *not* to actually offer what we wanted: a
> clearly
> documented but secure way to submit acceptable proof of key compromise.
>

Again, this isn't the case, and I very much demonstrated why it wasn't in
my previous message with respect to CP/CPS reviews. You have to do more
than just saying "No", otherwise that just comes across as petulance.


> Why not? It will be easier to write only "Any method at our discretion"
> to fulfil this requirement and nothing more, boilerplate which
> apparently makes you happy but doesn't help the ecosystem.
>

The problem with this statement is that it directly contradicts what I
wrote in the message you're replying to. You're making a strawman here, and
I already demonstrated to you precisely why, and how, it allows us to go
from nothing to X, Y, Z and then further on to A, B. You're description of
what "makes me happy" is literally the opposite of what I said, which is
why I'm concerned that you may not understand my previous message, or how
this works. I'm happy to help clarify further, but I think you need to
elaborate more here so we can clear up the confusion. I'm sure it's equally
unfulfilling to hear me keep telling you you're wrong, so if you're finding
you're unsure of what I meant, I'm happy to answer questions, rather than
have to respond to incorrect statements.

Again, so that it's (hopefully) clear for you, my expression is to support
the original language, and that the modified language introduces weaknesses
that the original language doesn't.


> > But equally, I made the mistake for referring to PACER/RECAP without
> > clarifying more. My reply was to address that yes, there is the
> > existence of "potentially illegitimate revocations", but that it's
> > not tied to "secret" documents (which you misunderstood). And my
> > mistake in not clarifying was that the cases weren't addressed to the
> > CA, but related to a CA subscriber. You can read more about this at
> >
> https://www.techdirt.com/articles/20180506/13013839781/more-copyright-holders-move-up-stack-more-they-put-everyone-risk.shtml
>
> > Here, this is about revocations that harm security, more than help,
> > and you can read from that post more about why that's undesirable at
> >
> https://medium.com/@mattholt/will-certificate-authorities-become-targets-for-dmca-takedowns-7d111275897a
>
> We're in the discussion about issue #205 which is about proving _key
> compromise_


*sigh* So you've move the goal post in your reply, and when I make a good
faith engagement,  you try to chide me about moving goalposts. You
introduced the notion of "potentially illegitimate revocations" as a
misunderstanding of what I said. In my reply, I clarified to you that they
are a thing, which you were dismissive of, and also clarified that you were
misunderstanding my point. You were further confused by the reply, and how
you want to chide me for clarifying for you why what you said was wrong.
Yes, you're absolutely correct that you introduced something offtopic, and
by replying to you, I let the conversation continue to be offtopic.

So, perhaps now that we've had this conversation, and you've learned about
potentially illegitimate revocations are a thing, but that they were not
the thing I was worrying about and that you'd misunderstood, perhaps we can
move back to the substantive discussion?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
  • Policy 2.7.1:MRSP Issue #20... Ben Wilson via dev-security-policy
    • Re: Policy 2.7.1:MRSP ... Dimitris Zacharopoulos via dev-security-policy
      • Re: Policy 2.7.1:M... Ben Wilson via dev-security-policy
        • Re: Policy 2.7... Dimitris Zacharopoulos via dev-security-policy
        • Re: Policy 2.7... Ryan Sleevi via dev-security-policy
          • Re: Policy... Nick Lamb via dev-security-policy
            • Re: P... Ryan Sleevi via dev-security-policy
              • R... Nick Lamb via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Nick Lamb via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Peter Bowen via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Dimitris Zacharopoulos via dev-security-policy
                • ... Nick Lamb via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Matt Palmer via dev-security-policy
                • ... Nick Lamb via dev-security-policy
                • ... Matt Palmer via dev-security-policy

Reply via email to